A WhatsApp zero-day attack has compromised Apple devices using a previously unknown vulnerability, WhatsApp has confirmed. The sophisticated campaign targeted specific individuals by exploiting a chain of flaws in both WhatsApp and Apple’s operating systems. The WhatsApp flaw, now tracked as CVE-2025-55177, allowed attackers to trigger malicious code through linked device synchronization messages.
The attack combined this flaw with a second zero-day in Apple’s iOS, iPadOS, and macOS, labeled CVE-2025-43300. This vulnerability was an out-of-bounds write error in the ImageIO framework, which processes image files. When a device opened a malicious image, the flaw caused memory corruption, letting attackers take control.
Together, these weaknesses created a powerful exploit. The WhatsApp zero-day attack started when a target received a specially crafted sync message. This message forced the device to load content from a remote server. Once activated, the payload used the ImageIO bug to install stealthy spyware—no user interaction required.
The vulnerability affected:
- WhatsApp for iOS before v2.25.21.73
- WhatsApp Business for iOS before v2.25.21.78
- WhatsApp for Mac before v2.25.21.78
Apple has patched CVE-2025-43300 in iOS 18.5, iPadOS 18.5, and macOS Sequoia 15.5. The company confirmed the flaw “may have been exploited in an extremely sophisticated attack against specific targeted individuals.” The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities list, requiring immediate action from federal agencies.
WhatsApp’s security team discovered the WhatsApp zero-day attack during routine monitoring. They quickly deployed a fix to block the exploit in the app. The company is now sending direct threat notifications to users it believes were targeted in the past 90 days.
These alerts warn that a malicious message may have compromised the device and its data—including messages, photos, and personal files. The message states:
“We’ve made changes to prevent this specific attack from occurring through WhatsApp. However, your device’s operating system could remain compromised by the malware or be targeted in other ways.”
Because the spyware is highly advanced, WhatsApp advises affected users to perform a full factory reset. Simply updating the app won’t remove the threat. The malware can survive app updates by embedding deep in the operating system.
The company also urges all users to:
- Update WhatsApp to the latest version
- Install the newest iOS, iPadOS, or macOS updates
- Avoid pairing unknown devices in WhatsApp
This incident highlights the growing danger of mercenary spyware—tools sold to governments and used to target journalists, activists, and political figures. Unlike mass cyberattacks, these campaigns are precise, stealthy, and often invisible.
Past threats like Pegasus and Predator used similar zero-click methods. The use of a WhatsApp zero-day attack shows how attackers exploit trusted platforms to breach high-value targets.
Security experts stress that even cautious users can fall victim. Regular updates, fast response to alerts, and proactive device resets are essential defenses.
WhatsApp continues to strengthen end-to-end encryption and real-time threat detection. But as long as operating systems have flaws, attackers will find ways around app-level security.
This means protection isn’t just WhatsApp’s responsibility. Device makers and users must stay alert. Updating software is no longer optional—it’s a critical step in staying safe.
The WhatsApp zero-day attack sends a clear message: even the most secure apps depend on the security of the devices they run on. One unpatched flaw can bypass multiple layers of protection.
If you receive a threat notification, act immediately. Securely back up important data, then perform a factory reset. Only reinstall apps after updating the operating system.
As cyber threats grow more advanced, so must our defenses. Staying informed, updated, and proactive is the best way to protect your digital life.
READ: Google’s AI Big Sleep Finds 20 Open Source Vulnerabilities
