In recent weeks WhatsApp has closed an important security flaw, classified as CVE-2025-55177, and found in its version for iPhone and Mac. The flaw in question could be potentially exploited together with another “hole” present in the Apple systems, identified as CVE-2025-4300. The combination of the two flaws could allow the launch of zero-click type IT attacks. This represents a particularly insidious intrusion mode since the victim does not have to make any action – such as opening a link or downloading a file (that’s why it is called “zero click”) – so that its device is compromised.
This means that the user, although paying the utmost attention to his digital behavior, could not have noticed the attempt to intrusion, nor could he have avoided it with the usual preventive measures. Meta confirmed that he had corrected the flaw that made the messaging app more vulnerable.
The scope of the problem and how to defend yourself on iPhone and Mac
Margarita Franklin, spokesperson for Meta (the parent company to which Whatsapp is headed), asked by the information site Techcrunchsaid the company corrected the fault “A few weeks ago»And that he sent”Less than 200»Notifications to affected WhatsApp users. Journalists also asked if WhatsApp had the idea of who there could be behind the attacks, perhaps a specific attacker or a surveillance service provider, but the spokesman preferred not to issue comments to this question.
For Amnesty Internationalwhich monitored the story, it was a spyware campaign conducted in the last three months, with advanced technical skills. In similar cases, the stolen data may include messages, personal content and sensitive information stored in the devices. This is why, even if the probability of being involved is minimal, the update of the app remains a necessary measure: it serves not only to protect themselves, but also to reduce the basin of potential victims exploitable by those who carry out these attacks.
What did the problem originate? The answer to this question is contained in the official note through which the company has made known the existence of the flaw, where we read:
The incomplete authorization of the synchronization messages of the devices connected in WhatsApp for iOS before version 2.25.21.73, WhatsApp Business for iOS version 2.25.21.78 and WhatsApp for Mac version 2.25.21.78 could have allowed an unrelated user to activate the processing of content from an arbitrary URL on the device of a target. We believe that this vulnerability, in combination with a vulnerability in terms of operating system on the Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific users.
In the case of WhatsApp, therefore, the problem was related to an authorization defect in the synchronization messages of connected devices, which could have allowed the processing of content from arbitrary urls, i.e. web addresses chosen by the aggressor. When this flaw was combined with that of Apple’s operating systems (iOS and macOS), it became possible to install an exploit, that is, a code created to exploit weakness and obtain access to data. It is important to underline that the internal researchers of the WhatsApp security team identified the problem and corrected the code a few weeks ago, releasing updates for iOS and Mac already available in the official stores. To get safe from the flaw in question, therefore, it is sufficient that you are longing as to install the latest update available for WhatsApp on the App Store.
WhatsApp and his precedents with Zero-Click attacks
Zero-Click attacks are not an absolute novelty for WhatsApp. In the past, the platform had already been at the center of surveillance campaigns: in 2019 the Israeli NSO group had been accused of using its spyware Pegasus against over 1,400 people. This affair led to a legal case concluded with a sentence of the payment of 167 million dollars of compensation to WhatsApp by NSO. More recently, at the beginning of 2024, about 90 users in Italy – including journalists, including our colleagues from Fanpage Francesco Cancellato and Ciro Pellegrino – had been affected by espionage tools attributed to Paragon.
