Let me explain this in simple words. WhatsApp just fixed a very serious security problem in its iPhone and Mac apps. What made it scary? Hackers could attack without you clicking on anything — no links, no files, nothing. That’s what experts call a “zero-click” exploit.
So, what really happened?
This bug, named CVE-2025-55177, worked together with another Apple flaw called CVE-2025-43300. Apple actually patched their issue last week. When both were combined, attackers had a backdoor straight into iPhones and Macs — and users had no clue.
According to WhatsApp’s own security note, the flaw was connected to device synchronization messages. In simple terms, WhatsApp could be tricked into opening a harmful link in the background, without the victim doing anything.
Now, here’s the worrying part. Amnesty International’s Security Lab confirmed that this wasn’t just theory. Some people were already targeted in a spyware campaign that lasted around 90 days. Fewer than 200 people worldwide were affected, but those included civil society members — the kind of people who are usually targeted by advanced surveillance tools.
Which versions were affected?
- WhatsApp for iOS (before 2.25.21.73)
- WhatsApp Business for iOS (before 2.25.21.78)
- WhatsApp for Mac (before 2.25.21.78)
Apple, on their side, rushed out an emergency fix earlier this month for their zero-day bug, which was already being exploited in what they called an “extremely sophisticated attack.”
WhatsApp’s Response
When WhatsApp notified targeted users, the warning was clear: We’ve blocked this particular attack inside WhatsApp, but if your Apple system itself is hacked, attackers may still be inside your device.
That means WhatsApp fixed their part, but Apple’s deeper system flaw was the real door hackers walked through. Donncha Ó Cearbhaill from Amnesty explained it well — the spyware gave hackers remote access, with victims never seeing a warning, all while their private chats and sensitive data were stolen.
He also added something important: Apple’s vulnerability wasn’t just about WhatsApp. It sat in a core image library, meaning other apps could have been used as entry points too.
Not the First Time
This isn’t new for WhatsApp. Back in 2019, the company went to court against NSO Group, the spyware vendor behind the infamous Pegasus malware, which infected more than 1,400 people. And more recently, another campaign in Italy tried targeting civil society through WhatsApp.
Why It Matters
Zero-click exploits are the most dangerous type of hack. Unlike phishing, where someone has to fall for a fake link, these attacks don’t need you to do anything. That makes them almost impossible for regular users to detect or stop on their own.
What Should You Do?
For most of us, the risk is low. But the lesson is clear: update everything — WhatsApp, iOS, macOS. Do it as soon as updates are released.
And if you’re a journalist, activist, or working in sensitive fields, take extra precautions. Apple’s Lockdown Mode and Android’s Advanced Protection Mode are built exactly for situations like this.
At the end of the day, spyware makers are always looking for new holes. The only real defense we have is staying updated and using every extra layer of protection we can.
I’m Srini – a tech junkie who loves exploring the latest in gadgets, apps, and science. I enjoy sharing my thoughts on tech news and discoveries in a simple, friendly way. For me, technology is not just about updates, it’s about how it connects to our daily lives. Through this blog, I want to make tech fun and easy to understand for everyone.