A new zero-click front
WhatsApp, owned by Meta, has addressed a major security flaw in its iOS and macOS applications after discovering it may have been exploited in a spyware campaign. The vulnerability, tracked as CVE-2025-55177, was combined with another Apple bug (CVE-2025-43300) revealed last week, giving attackers a way to breach fewer than 200 accounts globally. Those affected received in-app alerts telling them their devices had been compromised without any clicks or interaction, the defining trait of a zero-click exploit.
The bigger picture
The case highlights how widely used messaging platforms are being drawn into the surveillance fight. Hackers linked a flaw in WhatsApp with a weakness in Apple’s ImageIO framework letting them break into devices quietly and extract conversations and other private data from journalists, activists, and members of civil society. The WhatsApp issue (CVE-2025-55177) affected iOS builds before 2.25.21.73, WhatsApp Business for iOS 2.25.21.78, and WhatsApp for Mac 2.25.21.78, while Apple’s ImageIO bug (CVE-2025-43300) exposed iOS, iPadOS, and macOS until patches arrived in late August 2025. Researchers say it is another sign of how surveillance operations are shifting, with attackers stacking fresh zero-day exploits to slip past mobile security that was once considered hard to beat.
How it happened
The flaw in WhatsApp’s device synchronization feature allowed adversaries to manipulate authorization checks, triggering the processing of malicious content from external sources. Once chained with Apple’s memory corruption issue in ImageIO, attackers were able to send a malicious image that ran automatically, without the victim doing anything. The process happened out of sight, the device handled the image, memory was corrupted, and the spyware took over. WhatsApp patched the issue in late July and early August across its iOS and Mac apps, while Apple addressed its portion of the chain days later.
Even if the number of victims was limited, the impact was considerable. According to the Security Lab head at Amnesty International, the spyware operation lasted around three months and affected both iPhone and Android users, including members of civil society. Those notified were advised to reset their devices and keep systems updated, a sign of how serious the breach was. The operators remain unidentified, but the precision of the attack suggests backing from a commercial spyware vendor or a state actor.
A wider wave
WhatsApp’s history with spyware is long-running, from its 2019 lawsuit against NSO Group over Pegasus to more recent disruptions of campaigns targeting journalists and activists in Europe. Yet such measures have not stopped intruders from circling back, with each new wave adapting tactics and using the platform again as an entry point for surveillance.
Zero-click flaws are especially troubling because they give no signal before a device is taken over, leaving users with no way to step in. Updating software quickly is often the only defense, but attackers have shown they can exploit gaps before fixes reach the public. For people in high-risk roles, researchers advise keeping sensitive work on separate hardware and taking security alerts seriously. The episode also adds pressure on vendors to move faster with disclosures and patches, since even a mainstream app like WhatsApp can end up being used as a doorway for surveillance.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
