WhatsApp reported in an advisory that a zero-day in the communications application, in tandem with an OS-level bug on Apple platforms, may have been used to drop malware and even potentially spyware on Apple users.The WhatsApp zero-day — CVE-2025-55177 — affected WhatsApp for iOS prior to V2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78.WhatsApp, which is owned by social-media giant Meta, said the WhatsApp zero-day was used in combination with CVE-2025-43300 — an out of bounds write issue in the OS-level that Apple patched on Aug. 20. The WhatsApp zero-day was patched by Meta over the summer.The case rose in the news based on a post by Amnesty International’s Donncha Ó Cearbhaill, who reported that the security defects were chained in zero-click attacks that were part of a suspected spyware campaign.“WhatsApp has just sent out a round of threat notifications to individuals they believe were targeted by an advanced spyware campaign in the past 90 days,” said Ó Cearbhaill on X. “Early indications are that the WhatsApp attack is impacting both iPhone and Android users, civil society individuals among them. Government spyware continues to pose a threat to journalists and human rights defenders. Kudos to WhatsApp and Apple for catching it and notifying.”James Maude, Field CTO at BeyondTrust, said Meta has been proactive in both discovering the CVE-2025-55177 vulnerability and using in-app messaging to communicate with potentially targeted individuals. Maude said when chained with CVE-2025-43300, an image processing vulnerability in iOS and macOS may have been possible for threat actors to use as an arbitrary URL to trigger the image processing vulnerability using a zero-click exploit.“This form of exploit with no user interactions is particularly challenging to mitigate so it’s vital that users update as soon as possible,” said Maude. “For many organizations WhatsApp serves as an unofficial communications tool for employees and may inadvertently hold confidential company information. While it appears that in this case the exploitation in the wild was brief and identifiable, it serves as a reminder to ensure that the lines between personal and professional communication tools remain clear.”Evan Dornbush, chief executive officer at Desired Effect, added that the case is a textbook example of a zero-click exploit chain where a zero-day flaw in WhatsApp compels it to process a specially crafted message that then triggers a second zero-day vulnerability in the Apple OS that grants the attacker the ability to execute arbitrary code without any user interaction — often to deploy malware.“All without the victim seeing anything on their device,” said Dornbush. “This type of attack underscores the failure of a reactive security model, highlighting the critical need for defenders to have vulnerability intelligence before it is weaponized, rather than just relying on patches and reboots after the fact.”
Application security, Breach, Endpoint/Device Security, Exposure management
WhatsApp zero-day chained with Apple OS flaw to target Apple users
(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds