Zero-click attack on Apple devices via WhatsApp

Meta is currently distributing updates for various WhatsApp clients because attackers were able to inject code without user intervention. The vulnerability in the messenger exploits a bug in the authorization of certain iPhones, iPads and macOS computers when messages are to be automatically synchronized with the devices. It is registered under CVE-2025-55177 and can be exploited in conjunction with vulnerabilities in the devices' operating systems to install spyware via a URL. Users of Apple devices do not have to confirm this with a click or tap (zero-click attack).

The affected versions WhatsApp for iOS version 2.25.21.73 or older, WhatsApp Business for iOS version 2.25.21.78 and WhatsApp for Mac version 2.25.21.78 or older should be updated immediately. The exploit can be used in conjunction with the already known vulnerability CVE-2025-55177 (EUVD-2025-26214, CVSS 8.0, risk "high"). The vulnerability in the operating systems affects the "Image I/O" library and enables the injection of executable code via manipulated images. iOS, iPadOS and macOS should therefore also be updated immediately. According to Meta, the vulnerability may already have been exploited.

According to Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International, the vulnerability has already been actively exploited. Some users have received warnings from WhatsApp that there are indications that a malicious message has been sent to them. The activist wrote this on the X platform. They are not sure whether the device in question has been successfully compromised, they recommend a full factory reset and always keeping operating systems and the WhatsApp application up to date in the future.

(rop)