WhatsApp, Apple Targeted by Zero-Click Cyberattack

A “sophisticated cyberattack” campaign exploited two coordinated zero-day vulnerabilities, one in the WhatsApp messaging platform and another in Apple operating systems. This exploit chain enabled the installation of spyware on specific users’ devices, bypassing security defenses without requiring any victim interaction. Both Meta and Apple have since distributed security patches to mitigate the identified threats.

"WhatsApp and Apple devices are some of the most widely used technologies on the planet, especially among senior executives. That popularity makes them prime targets," says Adam Boynton, Senior Manager of Security Strategy, Jamf. "Attackers know that if they can find a way in, the payoff is huge. It is why we see significant investment from adversaries in uncovering zero-click vulnerabilities like this one."

The effectiveness of this digital offensive relied on combining two security flaws previously unknown to developers, known as zero-day vulnerabilities. The methodology, shared by Security Week, was a zero-click attack, one of the most advanced and dangerous techniques in the cyberespionage arsenal. This method does not need the user to perform any action, like clicking a link or downloading a file, to compromise the device. The mere receipt of a malicious message was sufficient to initiate the exploit chain.

The first component is vulnerability CVE-2025-55177, which has a Common Vulnerability Scoring System (CVSS) severity score of 8.0. Located in WhatsApp, it was officially described as an “incomplete authorization of linked device synchronization messages.” This defect allowed a malicious actor to force the processing of content from arbitrary URLs on the target's device, serving as the initial entry vector.

The second link in the chain is vulnerability CVE-2025-43300, identified in Apple's operating systems. This is an out-of-bounds write error in the ImageIO framework component, a core library for processing images in iOS, iPadOS, and macOS. As a fundamental system library, its compromise has severe implications. It could potentially be exploited through any application that handles images, not just WhatsApp. This operating system-level vulnerability was what allowed attackers to escalate privileges and gain deep control over the affected device.

Research conducted by Amnesty International’s Security Lab suggests that these vulnerabilities were chained as part of an espionage campaign. Evidence indicates the attacks impacted users of both iPhone and Android devices. The targets included members of civil society, journalists and human rights defenders. This victim profile is consistent with the use of advanced spyware, often associated with state actors, for the surveillance of high-interest individuals.

In response to the incident, Meta, WhatsApp's parent company, implemented patches in July and August, reports Wired. The patches were for WhatsApp for iOS version 2.25.21.73, WhatsApp Business for iOS version 2.25.21.78 and WhatsApp for Mac version 2.25.21.78. Additionally, the corporation sent direct notifications to about 200 users it determined may have been specific targets of the attack.

Apple patched vulnerability CVE-2025-43300 on Aug. 20 with the release of iOS 18.6.2, iPadOS 18.6.2, and macOS Sequoia 15.6.1, along with corresponding updates for Sonoma and Ventura. Apple confirmed it was aware of reports about its active exploitation.