WhatsApp Bug Anchors Targeted Zero-Click iPhone Attacks
Summary
A WhatsApp vulnerability (CVE-2025-55177, CVSS 5.4) has been linked to a sophisticated zero-click campaign that also used a patched Apple OS flaw (CVE-2025-43300). Meta and CISA say the WhatsApp bug could allow processing of content from an arbitrary URL on a target device; WhatsApp has released fixes for iOS and Mac clients. Fewer than 200 users received in-app threat notifications; reporting suggests journalists, activists and other high-profile individuals may have been targeted, and Amnesty International says Android users may also be affected.
Key Points
- The vulnerability (CVE-2025-55177) affected WhatsApp for iOS and Mac prior to specific fixed versions and allowed unauthorised processing of content from arbitrary URLs.
- The attack campaign combined the WhatsApp bug with an Apple out-of-bounds write zero-day (CVE-2025-43300) that Apple patched on 20 August.
- Roughly 200 users were notified by Meta; reporting indicates targets included journalists, activists and public figures, suggesting spyware delivery as an objective.
- CISA urged federal workforce users to update devices immediately and follow vendor mitigations or directives where applicable.
- Amnesty International is investigating indications that Android users may also have been impacted through WhatsApp.
- High-risk individuals may need additional remediation steps — including factory resets — to ensure devices are clean.
Content summary
The article explains that attackers exploited a WhatsApp bug alongside a separate Apple OS vulnerability to mount zero-click, targeted iPhone attacks likely intended to install spyware. Meta has patched WhatsApp, notified under 200 users, and recommended updates. Apple had already patched the OS-level flaw. Civil-society defenders, journalists and activists are highlighted as likely targets, and organisations such as Amnesty International are investigating broader impact including on Android users. Authorities and vendors urge prompt patching; for high-risk individuals, stronger remediation (factory resets) may be necessary.
Context and relevance
This incident fits a long-running pattern of mobile cyber-espionage that weaponises zero-click flaws and commercial spyware (eg Pegasus and related toolsets). It underscores the persistent risk to journalists, activists and public figures, and the speed at which attackers chain app-level and OS-level flaws. For security teams, the story reinforces the need for rapid patch management, threat notifications, and special handling for high-risk roles. It also illustrates why vendors, governments (CISA) and NGOs coordinate public advisories and investigations.
Why should I read this?
Because if you manage mobile devices, look after people who could be targeted, or just want to avoid getting owned without even opening a message, this is the sort of quietly nasty exploit that matters. Quick: update WhatsApp and iOS, check notices, and if you support journalists or activists, step up your remediation game — this isn’t a hypothetical.