WhatsApp has released an urgent patch for a zero click exploit used against specific iOS and macOS users, as privacy groups urge those affected to seek expert help.

The vulnerability, tracked as CVE-2025-55177 with a CVSS score of 8, could allow an attacker to trigger content processing from an arbitrary URL sent via WhatsApp.

The Meta-owned company said the issue allowed “incomplete authorization of linked device synchronization messages” and may have been used in “sophisticated attacks” tied to spyware.

See also: Meta looks to sweat WhatsApp with ads, price tweaks

Specifically, WhatsApp assessed it had been chained with CVE-2025-43300, an issue in Apple’s Image I/O framework in attacks against “specific targeted users.”

That bug, allowing memory corruption via malicious image files, was patched by Apple in an out of bounds update on August 20 after reports of similarly described attacks.

Ahead of publicly disclosing its patch, WhatsApp reportedly sent out advisories to an unspecified number of users it believed had been targeted in an advanced spyware campaign.

A press statement from Meta clarified the attack had impacted fewer than 200 users.

Amnesty warns users

According to the Head of Amnesty International’s Security Lab Donncha Ó Cearbhaill, the attack is likely also impacting Android users and potentially linked to government spyware.

In a post on X, he said the lab was “actively investigating cases with a number of individuals targeted in this campaign.”

Senior Security Strategy Manager EMEIA Adam Boynton, at Apple security vendor Jamf, said the issue highlighted the need to remain wary of apps considered to be secure.

He said: “Exploits of this kind are often a launchpad for extracting sensitive data, harvesting credentials, eavesdropping on conversations, or even staging a ransomware attack further down the line.”

App versions affected by CVE-2025-55177 include versions of WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78.

The link has been copied!