WhatsApp recently patched a software vulnerability, officially identified as CVE-2025-55177, that unknown hackers exploited to target specific Apple users with spyware.
Meta-owned WhatsApp stated in an advisory that this previously unknown bug “may have been exploited in a sophisticated attack against specific targeted users.”
TechCrunch reported that WhatsApp addressed this vulnerability this week. Last week, Apple fixed a separate bug, CVE-2025-43300. These vulnerabilities collectively enabled malicious spyware attacks aimed at stealing data from specific Apple users’ devices.
Apple described its vulnerability: “Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”
WhatsApp informed TechCrunch that it notified “less than 200 users” who may have been targeted by the campaign. Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab, confirmed that these notifications were issued over the past 90 days.
Cearbhaill stated on X, “Our team at Amnesty International’s Security Lab is actively investigating cases with a number of individuals targeted in this campaign. We are available to support members of civil society who have received the WhatsApp notifications.”
Zero-click attacks, which do not require user interaction, are increasing. Attackers often deploy a malicious file, typically an image, to compromise a mobile operating system. Over several years, malware capable of zero-click attacks has targeted journalists, activists, and government officials, with much of it originating from Israeli companies.
