WhatsApp fixes zero-click exploit used to hack Apple devices

WhatsApp patches zero-click exploit used to compromise Apple devices

WhatsApp announced it fixed a critical vulnerability in its iOS and macOS clients that attackers used to silently hack the Apple devices of specific targets. The bug, tracked as CVE-2025-55177, was used together with an Apple-stated flaw (CVE-2025-43300) to run what security researchers called an "advanced spyware campaign."

Both flaws chained into a zero-click attack, meaning victims did not need to click links or open files to be compromised. According to Amnesty International’s Security Lab, the campaign targeted users over roughly the past 90 days (since late May). WhatsApp told affected users it could compromise devices and the data they contain, including messages.

Meta said it patched the WhatsApp vulnerability a few weeks ago and sent fewer than 200 notifications to users whose devices were likely targeted. The company has not publicly attributed the attacks to a specific actor or spyware vendor.

This incident echoes previous high-profile spyware abuses. In 2019, NSO Group’s Pegasus was used to break into many WhatsApp accounts; courts later ordered damages. Earlier this year WhatsApp disrupted another campaign that hit journalists and civil society in Europe. These repeat patterns raise concerns about surveillance tools being used against vulnerable groups and high-value targets.

Why this matters: zero-click chains are dangerous because they can bypass user awareness and standard phishing defenses. When messaging apps are the delivery vector, attackers gain a trusted channel straight into phones and laptops — where communications, credentials, and sensitive data live.

• Update WhatsApp, iOS and macOS immediately to the latest patched versions.
• If you received a WhatsApp notification about compromise, treat the device as breached and follow your incident response steps.
• Harden device telemetry and monitoring for indicators of compromise tied to messaging apps and remote code execution.
• Prioritize threat modeling for high-risk users — journalists, activists, executives — and reduce their exposure surface.

For organizations, this episode is a reminder to treat messaging clients as strategic attack surfaces. Patch management alone isn’t enough; detection rules, rapid notification triage, and rehearsed containment playbooks matter when a zero-click chain is in play.

QuarkyByte’s approach focuses on connecting tactical fixes to operational readiness: mapping how a messaging exploit could evolve into full device compromise, running tabletop simulations for high-risk user groups, and shaping prioritized detection and communication plans that shorten attacker dwell time. In a landscape where zero-click exploits reappear, organizations that combine fast patching with scenario-driven defenses will be best positioned to protect people and data.