WhatsApp Zero-Click Exploit Targeting iOS and macOS Devices

November 21, 2025
Posted by: Chernor Jalloh
Categories:

THREAT OVERVIEW

WhatsApp has patched a critical security vulnerability (CVE-2025-55177, Severity: High (CVSS: 8.0 – CISA ADP rating)) in its iOS and macOS applications. The flaw, discovered by WhatsApp’s internal security team, involves insufficient authorization of linked device synchronization messages. Exploitation could allow an attacker to force the processing of malicious content from an arbitrary URL on a target’s device.

The vulnerability was likely used in real-world zero-day attacks in conjunction with Apple’s recently disclosed CVE-2025-43300 (an ImageIO out-of-bounds write bug). Together, these vulnerabilities enabled zero-click compromises, meaning victims did not need to click or interact with anything to be infected.

AFFECTED VERSIONS

• WhatsApp for iOS prior to 2.25.21.73 (patched July 28, 2025)

• WhatsApp Business for iOS prior to 2.25.21.78 (patched August 4, 2025)

• WhatsApp for Mac prior to 2.25.21.78 (patched August 4, 2025)

IMPACT

• Attackers may compromise iOS/macOS devices without user interaction.

• The vulnerability has been linked to a spyware campaign targeting civil society individuals, journalists, and human rights defenders.

• WhatsApp has issued less than 200 in-app notifications to individuals believed to be targeted within the past 90 days.

MITIGATION & RECOMMENDATION

• Update immediately to the latest WhatsApp versions for iOS and Mac.

• Ensure iOS, iPadOS, and macOS devices are updated to the latest versions (patching CVE-2025-43300).

• If you suspect compromise, perform a full factory reset of the device.

• Monitor devices for unusual activity (battery drain, overheating, unexpected data usage).

• High-risk individuals (journalists, activists, NGOs) should enable Lockdown Mode on Apple devices for added protection.

CONCLUSION

This incident highlights the continued use of government-grade spyware tools targeting vulnerable individuals. Zero-click exploits remain one of the most dangerous attack vectors, requiring immediate patching and vigilance from all users.

REFERENCE

• WhatsApp Security Advisories

• NIST/NVD (National Vulnerability Database)

• The Hackers News

• TechCrunch

• Gadgets360

• CyberInsider

• SL-CSIRT

National Cybersecurity Coordination Centre Launches Sierra Leone’s National CSIRT and Digital Forensics Lab Freetown, Sierra Leone

14/01/2025

Cybersecurity Awareness Training for Government Ministries: Enhancing Digital Security

10/01/2025

Cyber Awareness School Debate: Uniting 16 Schools for Cybersecurity Education

10/01/2025

Cyber Hour Radio Program

27/07/2024

Workshop on the Budapest Convention

08/06/2024

Global Conference on Cyber Capacity Building

08/06/2024

how can we help you?

NC3 is dedicated to safeguarding your digital world. Our team of experts is here to provide comprehensive cyber security solutions tailored to your needs. Whether you’re a small business, a large corporation, or an individual seeking to enhance your online security.

Microsoft Patches Updates Addressing 81 Security Vulnerabilities

21/11/2025

Security Alert: Microsoft Patch Updates addressing 81 vulnerabilities

21/11/2025