WhatsApp security vulnerability on Apple devices

On August 30, 2025, it was reported that a vulnerability in WhatsApp, which has since been closed, had enabled attacks on iPhones, iPads, and Macs without any user interaction—a classic “zero-click” vector. The trigger was an authorization error when WhatsApp messages were automatically synchronized with Apple devices. In combination with a separate vulnerability fixed by Apple, attackers were able to inject spyware via a specially crafted URL without the victim having to type or click anything. The vulnerability is recorded as CVE-2025-55177 (CVSS 8.0, “high”).

Affected were WhatsApp for iOS up to version 2.25.21.73, WhatsApp Business for iOS up to 2.25.21.78, and WhatsApp for macOS up to 2.25.21.78. Meta is distributing updates for all of these clients. Particularly explosive: The exploit could be chained with an Apple vulnerability in the “Image I/O” image library (CVE-2025-43300), which Apple closed a week earlier with iOS/iPadOS 18.6.2 and macOS 15.6.1. As things stand, anyone who updates both WhatsApp and their operating system is protected against the described attack vector.

Both Meta and external researchers assume that the vulnerability has already been actively exploited. Donncha Ó Cearbhaill from Amnesty International’s Security Lab reports warning messages to affected users; in suspicious cases, a factory reset is even recommended. Regardless of this, it is important to update the app and OS immediately and install updates promptly.

The bottom line is that this incident shows the continuing appeal of zero-click attacks on popular messengers – and how important it is for both sides to fix the problem quickly: the app manufacturer, who closes the authorization gap, and the platform provider, who secures system-level media parsers. For users, this means: Don’t wait, but update WhatsApp and iOS/iPadOS or macOS to break the attack chain of CVE-2025-55177 and CVE-2025-43300. Official notices and advisory collections record the status of the fixes.

Source: https://www.heise.de/news/Zero-Click-Angriff-auf-Apple-Geraete-via-WhatsApp-10626629.html

Recommended safety measures:

• Update WhatsApp now. Affected versions were WhatsApp for iOS up to 2.25.21.73, WhatsApp Business for iOS up to 2.25.21.78, and WhatsApp for macOS up to 2.25.21.78. Install the latest version on your iPhone/iPad and Mac.
• Install Apple updates. Update iOS/iPadOS to 18.6.2 and macOS to 15.6.1 (or newer), as the attack chain exploits an Apple vulnerability in Image I/O.
• If you suspect an attack: Factory reset. If you have received a WhatsApp warning or have reasonable suspicion, perform a complete device reset and set up the device from scratch.
• Check linked devices. In WhatsApp, go to Settings → Linked Devices, review all entries, and log out any unknown devices.
• Enable automatic updates. Set app updates (App Store) and system updates (iOS/iPadOS/macOS) to “automatic” so that fixes are applied promptly.
• For high-risk profiles: Activate “Lockdown/Block Mode.” On iPhone/iPad/Mac, go to Privacy & Security → Turn on Lockdown/Block Mode to further reduce zero-click attack surfaces.
• Enable WhatsApp “two-factor authentication.” Set up an extra PIN + (optional) email: Settings → Account → Two-step verification. This provides additional protection for your account in case your login details are compromised.