A newly discovered critical vulnerability has put WhatsApp users across the globe on high alert. CVE-2025-55177, patched in August 2025, was a serious flaw affecting WhatsApp and WhatsApp Business for iOS (prior to v2.25.21.73) as well as WhatsApp for Mac (prior to v2.25.21.78). This vulnerability enabled sophisticated attackers to break through device defenses—without any action from the victim.
What Was the Vulnerability?
The bug was an “authorization bypass”: WhatsApp failed to properly verify linked device synchronization messages. Attackers could exploit this to trigger processing of content from arbitrary URLs directly on a target’s device, using so-called “zero-click” exploits. Zero-click means victims did not have to click, reply, or interact with any message for the exploit to succeed.
Exploit Chain: Apple Devices Also Targeted
CVE-2025-55177 was most dangerous in combination with a simultaneous Apple OS flaw (CVE-2025-43300), which allowed attackers to compromise both WhatsApp and the device’s core security. The exploit chain enabled advanced spyware to be installed on iPhones and Macs belonging to high-profile targets such as journalists, activists, and members of civil society.
Who Was Targeted?
Unlike mass phishing campaigns, attacks using CVE-2025-55177 were highly targeted. Amnesty International confirmed that WhatsApp issued threat notifications to fewer than 200 individuals over the last 90 days, warning of possible compromise from an advanced spyware operation. Victims are urged to perform a complete factory reset and update both their app and operating system to the latest versions.
WhatsApp’s Response and Recommendations
Meta patched the vulnerability and pushed updates globally, with additional warnings sent directly to those thought to be at risk. Both WhatsApp and security experts strongly recommend:
- Updating WhatsApp and Apple devices to the most recent versions.
- Performing a factory reset if notified of targeted exploitation.
- Enabling iOS Lockdown Mode or Android Advanced Protection Mode for extra security.
The Big Picture: Surveillance and Zero-Click Exploits
This incident is part of a larger pattern: commercially-developed spyware, often sold to governments, leveraging zero-day vulnerabilities against well-chosen, high-value targets. Previous incidents saw journalists and human rights defenders affected around the world[3][5]. With exploits fetching millions of dollars on the black market, the stakes have never been higher.
