WhatsApp has issued a security update after concerns were raised about a loophole that could be used to compromise the app, despite the company’s end-to-end encryption.
The messaging service pushed the security patch after it was revealed that the vulnerability was used to install the notorious Pegasus spyware.
The vulnerability, known as CVE-2025-55177, worked alongside a different Apple flaw (CVE-2025-43300) in what’s known as a zero-click attack — something that doesn’t require any action by the recipient to take effect. Chained together, the two bugs would allow attackers to push spyware that had access to data stored on the impacted device.
Security researchers say the campaign aimed at a small number of users. Describing the operation as an “advanced spyware campaign that has been under development and operational for several months,” the Security Lab of Amnesty International said the targets of the spyware campaign had been selected over the last few months. WhatsApp notified affected accounts that their phones may have been compromised and that their personal information — including messages — may have been read.
Apple had earlier released a fix for the underlying operating system bug and had described the exploit as a ‘highly targeted’ attack against its users. The checkm8-based exploit is on the chain side and WhatsApp’s update closes the messaging-app side of the exploit chain to avoid continuing exploitation of the vector.
Efforts to pin the attacks on a named actor or commercial surveillance vendor have been inconclusive. WhatsApp would not confirm that it has definitive evidence that the intrusion is connected to any specific group or supplier.
The case is just the latest in which state-grade spyware has been used via messaging-platform flaws. In another legal action, a spyware supplier was instructed to pay a large sum in damages after its tools were linked to a campaign that attacked users’ devices via a messaging app vulnerability. Other reported campaigns have also taken aim at journalists and civil society figures that led to inquiries and limits on commercial spyware use by some governments.
WhatsApp encourages users to update their apps and device software to protect against potential security threats, enable automatic updates when possible and familiarize themselves with any security notifications. For other users, if they also received a notification, they should follow the platform’s instructions and abuse survivor metrics or professional incident response effort when they suspect ongoing compromise.