WhatsApp fixes a serious vulnerability used in targeted attacks

WhatsApp has addressed a serious security flaw in certain versions of its app. The vulnerability was a zero-click exploit, which the company says was being used to target specific users.

No details have been provided about those who were being targeted, so it is not clear whether they are celebrities, people linked to businesses, or something else. What is interesting, however, is the fact that it was Apple users who had been single out.

Apple has already released patches for a number of its operating system – both desktop and mobile. iOS 16.8.2, iPadOS 16.8.2, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8 and macOS Ventura 13.7.8 have all received updates to address the issue which is described by WhatsApp as “an OS-level vulnerability on Apple platforms”.

The vulnerability was exploited over a period of three months in a targeted spyware campaign. WhatsApp has already contacted anyone it believes may have been affected, so if you have not received a notification from the company, you have nothing to worry about.

But what is worrying is that such a serious security issue could lie undetected and actively exploited for so long – particularly when it is an OS-level security flaw. In the end it was Internal Researchers on the WhatsApp Security Team who discovered the vulnerability.

Although we do not know the chain of events that happened next, as this was a vulnerability with Apple code, we can only assume that WhatsApp’s security team made Apple aware of the issue and developers set about fixing it.

Apple has not offered anything of substance in the way of insight into the matter beyond saying that the flaw has been exploited as part of “extremely sophisticated attack against specific targeted individuals”.

In a note posted to the WhatsApp Security Advisories section of its website, WhatsApp says:

August Update

CVE-2025-55177

Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.

Acknowledgements: Internal Researchers on the WhatsApp Security Team

Make sure that you have both your operating system and your copy of WhatsApp updated to ensure you are safe.

Image credit: Mino Surkala / Dreamstime.com