WhatsApp has released a security update addressing a vulnerability in its iOS and macOS clients that was exploited to compromise some Apple devices, the company confirmed in a security advisory.
The flaw, tracked as CVE-2025-55177, was used in combination with a separate Apple vulnerability (CVE-2025-43300) to execute a so-called zero-click attack — an exploit that does not require any action by the targeted user to take effect. When chained, the two flaws allowed attackers to deliver spyware capable of accessing data stored on affected devices.
Security researchers say the campaign targeted a limited number of users. Amnesty International’s Security Lab described the operation as an advanced spyware campaign that focused on selected individuals over recent months. WhatsApp told impacted accounts that their devices may have been compromised and that private information, including messages, could have been accessed.
Apple previously issued a patch for the underlying operating system vulnerability and characterized the exploit as a highly sophisticated attack aimed at specific targets. WhatsApp’s update addresses the messaging-app side of the exploit chain to prevent further abuse of the vector.
Attempts to attribute the attacks to a named actor or commercial surveillance vendor remain unresolved. WhatsApp declined to confirm whether it has conclusive evidence linking the intrusion to any particular group or supplier.
The incident follows prior instances in which state-grade spyware was deployed through messaging-platform vulnerabilities. In a separate legal action, a spyware vendor was ordered to pay substantial damages after its tools were tied to a campaign that breached user devices through a messaging app exploit. Other reported campaigns have similarly targeted journalists and civil society figures, prompting investigations and restrictions on commercial spyware use by some governments.
WhatsApp recommends that users keep the app and their device operating systems up to date, enable automatic updates where available, and review any security notices delivered through the app. For accounts that received a compromise notification, affected users should follow platform guidance and consider device diagnostics or professional incident response if they suspect ongoing intrusion.
