In a critical security alert, WhatsApp has released an urgent patch to address a “zero-click” vulnerability that has been actively exploited in the wild. The flaw, which affects both iOS and macOS users, allowed sophisticated attackers to compromise a user’s device without any interaction from the victim.

This is a serious development as “zero-click” attacks are among the most dangerous and sought-after exploits. Unlike a typical phishing scam that requires a user to click a malicious link or open an infected attachment, a zero-click exploit can silently compromise a device just by receiving a specially crafted message or file. This means the victim has no opportunity to detect or prevent the attack.

The Exploit in Detail

According to a security advisory from WhatsApp and a related patch from Apple, the attack was a two-part chain that leveraged vulnerabilities in both the WhatsApp application and the Apple operating system.

The primary vulnerability in WhatsApp, tracked as CVE-2025-55177, was related to “incomplete authorization of linked device synchronization messages.” This flaw could be triggered by an attacker to process content from an arbitrary URL on a target’s device. This was then combined with a separate vulnerability in Apple’s ImageIO framework, CVE-2025-43300, which could lead to memory corruption when processing a malicious image file.

By chaining these two bugs, an attacker could send a message via WhatsApp that silently triggered the processing of a malicious image, allowing them to execute code and install spyware on the device without the user ever knowing.

Who Was Targeted?

While WhatsApp has stated the attack was “sophisticated” and aimed at “specific targeted users,” security researchers and human rights organizations, such as Amnesty International, have reported that the targets included journalists, human rights defenders, and other civil society members. These types of attacks are often associated with commercial spyware vendors and state-sponsored actors who use them for surveillance.

Immediate Action Required

Both Apple and WhatsApp have released patches to close these vulnerabilities. To protect yourself, it is crucial to take the following steps immediately:

1. Update WhatsApp: Ensure you are running the latest version of WhatsApp on your iPhone or Mac. The affected versions were WhatsApp for iOS prior to v2.25.21.73 and WhatsApp for Mac prior to v2.25.21.78.
2. Update Your Operating System: Install the latest security updates for your Apple devices. The ImageIO vulnerability was patched in iOS 18.6.2 and macOS 15.6.1.
3. Enable Lockdown Mode (iOS): If you are a high-risk individual who could be a target for mercenary spyware, consider enabling Apple’s Lockdown Mode. This feature provides an extreme level of security by limiting certain functionalities to prevent sophisticated attacks.

While these vulnerabilities have been addressed, this incident serves as a stark reminder of the ongoing threat posed by zero-click exploits. It highlights the importance of keeping all software, from messaging apps to operating systems, up to date with the latest security patches.