Sophisticated Attack Targeted Dozens of Users, Including Journalists and Activists

Meta-owned messaging app WhatsApp has announced that it has fixed a security bug in its iOS and Mac apps that was being used to stealthily hack into the Apple devices of “specific targeted users.” The vulnerability, known as CVE-2025-55177, was used alongside a separate flaw found in iOS and Macs, which Apple fixed last week and tracks as CVE-2025-43300.

According to Donncha Ó Cearbhaill, who heads Amnesty International’s Security Lab, the attack was an “advanced spyware campaign” that targeted users over the past 90 days, or since the end of May. Ó Cearbhaill described the pair of bugs as a “zero-click” attack, meaning it did not require any interaction from the victim, such as clicking a link, to compromise their device.

The two bugs chained together allowed an attacker to deliver a malicious exploit through WhatsApp that was capable of stealing data from the user’s Apple device. Ó Cearbhaill posted a copy of the threat notification that WhatsApp sent to affected users, which revealed that the attack was able to “compromise your device and the data it contains, including messages.”

WhatsApp has confirmed that the attack was carried out using a combination of the CVE-2025-55177 and CVE-2025-43300 vulnerabilities. The company has not disclosed the exact number of users affected by the attack, but Donncha Ó Cearbhaill estimates that dozens of users were targeted.

“It’s a very sophisticated attack that requires a high level of expertise to execute,” Ó Cearbhaill said. “The attackers were able to exploit the vulnerabilities in a way that allowed them to bypass the security measures in place on the devices.”

The attack was discovered by Amnesty International’s Security Lab, which has been tracking the use of zero-click attacks by governments and other organizations. “This is not the first time that WhatsApp users have been targeted by government spyware,” Ó Cearbhaill said. “But it’s a reminder that the threat is still very real and that users need to be vigilant about their security.”

Meta spokesperson Margarita Franklin confirmed that the company detected and patched the flaw “a few weeks ago” and sent “less than 200” notifications to affected WhatsApp users. However, Franklin did not say if WhatsApp has evidence to attribute the hacks to a specific attacker or surveillance vendor.

This is not the first time that WhatsApp users have been targeted by government spyware, a kind of malware capable of breaking into fully patched devices with vulnerabilities not known to the vendor, known as zero-day flaws. In May, a U.S. court ordered spyware maker NSO Group to pay WhatsApp $167 million in damages for a 2019 hacking campaign that broke into the devices of more than 1,400 WhatsApp users with an exploit capable of planting NSO’s Pegasus spyware.

WhatsApp has disrupted a spyware campaign that targeted around 90 users, including journalists and members of civil society across Italy. Paragon, whose spyware was used in the campaign, later cut off Italy from its hacking tools for failing to investigate the abuse.

The attack highlights the ongoing threat of zero-click attacks and the need for users to be vigilant about their security. “This is a reminder that the security landscape is constantly evolving and that users need to stay informed and take steps to protect themselves,” Ó Cearbhaill said.

WhatsApp has recommended that users take several steps to protect themselves from zero-click attacks, including:

Keeping their devices and apps up to date with the latest security patches

Being cautious when receiving unsolicited messages or attachments

Using a reputable antivirus program to scan their devices for malware

Regularly backing up their data to prevent loss in the event of an attack

Users who believe they may have been affected by the attack are encouraged to reach out to WhatsApp for assistance.