WhatsApp has fixed a vulnerability that could have allowed a user to steal content from Apple iPhone and Mac devices, which has reportedly been used in a “sophisticated attack”.
In an advisory posted last week, WhatsApp said the attack exploited a bug in specific versions of WhatsApp for iOS, WhatsApp Business, and WhatsApp for Mac.
The bug could have allowed hackers to “trigger processing of content from an arbitrary URL on a target’s device.”
The vulnerability has been tracked as CVE-2025-55177 and impacted:
- WhatsApp for iOS prior to v2.25.21.73
- WhatsApp Business for iOS v2.25.21.78
- WhatsApp for Mac v2.25.21.78
WhatsApp said the vulnerability may have been used alongside another known vulnerability on Apple platforms (CVE-2025-43300), to execute a “sophisticated attack against specific targeted users.”
Apple patched this vulnerability on August 20, describing this as an “an out-of-bounds write issue,” which “was addressed with improved bounds checking.”
“Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals,” the tech giant added.
Donncha Ó Cearbhaill, the Head of the Security Lab at Amnesty International wrote on X that WhatsApp had sent out a round of threat notifications to individuals they believe had been targeted.
“Our team at Amnesty International’s Security Lab is actively investigating cases with a number of individuals targeted in this campaign,” he added.
Both of these vulnerabilities have now been patched. We recommend all Apple users ensure they are both on the latest versions of WhatsApp and iOS/macOS.
The Big Picture
Apple and WhatsApp have not provided any details as to who they suspect may have been behind the exploitation of these sophisticated vulnerabilities.
But there is a large market for state-sponsored cybercrime using spyware developed specifically for targeted encrypted messaging services and Apple operating systems.
In May, the NSO Group, a Israeli cyber-intelligence firm, was fined over $167 million USD for exploiting a WhatsApp zero-day vulnerability to deploy its Pegasus software.
This attack, which took place in 2019, compromised around 1,400 WhatsApp users, including journalists, activists, and political dissidents.
Researchers at Google warned last year that there are around 40 small spyware players on the market today, including many that have never publicly been exposed.
These companies profit by discovering and selling zero-day vulnerabilities that allow nation-state clients to install spyware on mobile phones.
Such attacks are often highly targeted and sophisticated. They are unlikely to have a wider impact on the hundreds of millions of people who use WhatsApp and Apple devices every day.
But as Google says, the use of this spyware has a “chilling effect” on targets, who commonly include journalists and those speaking out about human rights abuses.
Read more
