WhatsApp has patched a critical zero-day vulnerability it believes was exploited in a sophisticated attack.
The messaging giant revealed in a security advisory late last week that CVE-2025-55177 relates to “incomplete authorization of linked device synchronization messages.”
The firm added: “It could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.”
The Apple bug in question was described by the tech giant as an “out-of-bounds write issue” when it patched it on August 20.
“Processing a malicious image file may result in memory corruption,” it said at the time.
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”
Read more on WhatsApp bugs: Spyware Maker NSO Group Liable for WhatsApp User Hacks
Given the messaging from both firms, it’s highly likely that the bugs were exploited as part of a commercial spyware campaign. In fact, this was confirmed by Donncha Ó Cearbhaill, head of the security lab at Amnesty International, where he hunts for spyware used to target civil society.
In April 2023, for example, security researchers found a zero-click, zero-day exploit that targeted iPhone users with commercial spyware a couple of years previously. In that campaign, malware designed by secretive Israeli firm QuaDream was used.
These exploits are particularly dangerous as they require no user interaction to work, meaning victims are completely unaware that their every move is being watched. Once installed, spyware such as this, or the infamous Pegasus variant from NSO Group, is designed to access the device camera, microphone, messages, photos and much more.
NSO Group was ordered to pay $167m in damages earlier this year after a long-running legal battle with WhatsApp. It stemmed from a 2019 discovery that Pegasus had been used to target over a thousand WhatsApp users, including human rights activists, journalists and diplomats.
CVE-2025-55177 impacts WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78 and WhatsApp for Mac v2.25.21.78.
Image credit: MardeFondos / Shutterstock.com