WhatsApp has patched a safety vulnerability in its iOS and macOS messaging purchasers that was exploited in focused zero-day assaults.
The corporate says this zero-click flaw (tracked as CVE-2025-55177) impacts WhatsApp for iOS previous to model 2.25.21.73, WhatsApp Enterprise for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78.
“Incomplete authorization of linked gadget synchronization messages in WhatsApp [..] might have allowed an unrelated person to set off processing of content material from an arbitrary URL on a goal’s gadget,” WhatsApp stated in a Friday safety advisory.
“We assess that this vulnerability, together with an OS-level vulnerability on Apple platforms (CVE-2025-43300), could have been exploited in a classy assault in opposition to particular focused customers.”
When Apple launched emergency updates to patch the CVE-2025-43300 zero-day flaw earlier this month, it additionally acknowledged that the flaw had been exploited in an “extraordinarily refined assault.”
Whereas the 2 firms are but to publish additional info relating to the assaults, Donncha Ó Cearbhaill (the top of the Safety Lab at Amnesty Worldwide) stated that WhatsApp simply warned some customers that they have been focused in a complicated spyware and adware marketing campaign during the last 90 days.
“We have made modifications to forestall this particular assault from occurring via WhatsApp. Nevertheless, your gadget’s working system might stay compromised by the malware or be focused in different methods,” the alerts learn.
Within the risk notifications despatched to probably impacted people, WhatsApp advises them to carry out a tool manufacturing unit reset and to maintain their units’ working system and software program updated.
In March, WhatsApp patched one other zero-day flaw—following experiences from safety researchers on the College of Toronto’s Citizen Lab—that was exploited to put in Paragon’s Graphite spyware and adware.
“WhatsApp has disrupted a spyware and adware marketing campaign by Paragon that focused quite a few customers together with journalists and members of civil society. We have reached out on to individuals who we consider have been affected,” a WhatsApp spokesperson informed BleepingComputer on the time.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration tendencies.
