WhatsApp fixes ‘zero-click’ vulnerability that let hackers install spyware on iPhones and Macs
WhatsApp has announced that it fixed a security bug in the company’s app on iPhones and Macs that was used by hackers to get into the Apple devices of specific targeted users and attack them with spyware.
In a security advisory released earlier this week, WhatsApp confirmed that it had fixed a security vulnerability known as CVE-2025-43300 that “may have been exploited in a sophisticated attack against specific targeted users.”
Apart from WhatsApp, Apple had also announced last week that it had fixed a vulnerability last week known as CVE-2025-55177. The two vulnerabilities combined may have allowed attackers to attack specific Apple users and steal data from their devices.
Apple while detailing the bug last week said, “Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”
Meta spokesperson Margarita Franklin told TechCrunch that the company detected and patched the vulnerability a “few weeks ago” and it had sent “less than 200” notifications to the affected WhatsApp users.
The vulnerability was present in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78.
Donncha Ó Cearbhaill, Amnesty International’s Security Lab lead, in a post on X described the recent attack as an “advanced spyware campaign” which targeted several users in the last 90 days.
“Early indications are that the WhatsApp attack is impacting both iPhone and Android users, civil society individuals among them,” Cearbhaill wrote.
Notably, Zero click vulnerabilities are a type of security threat that can be exploited by the attacker without any interaction from the user, meaning the victim does not need to click on a link, open a file, or take any action to give access to the attacker.
Given that victims can’t do much to protect themselves in case of such vulnerabilities, zero click attacks are considered some of the most dangerous types of cyberattacks.
