Meta has confirmed that a dangerous WhatsApp zero-click exploit (CVE-2025-55177) was used in a highly sophisticated attack against targeted users worldwide. The vulnerability involved device synchronization messages, allowing hackers to secretly execute malicious code by pushing content from a hidden URL.
What makes this flaw especially alarming is its zero-click nature. Victims did not need to click anything or open any suspicious file: their devices could be compromised silently, without warning.
Spyware Vendors Linked to the Attack
According to Meta, the flaw was combined with another recently patched Apple vulnerability (CVE-2025-43300). Amnesty International’s Security Lab revealed that commercial spyware vendors were almost certainly behind the operation, targeting high-risk individuals such as journalists, activists, and political dissidents.
These revelations echo the infamous 2019 WhatsApp spyware scandal, where NSO Group’s Pegasus spyware targeted over 1,000 users, sparking a legal battle with Meta. Similar vendors like QuaDream have been repeatedly linked to covert surveillance campaigns that threaten free speech and civil liberties worldwide.
iPhone and Android Users Both at Risk
While Meta’s advisory initially highlighted iOS and macOS as the primary targets, Amnesty International reported that both iPhone and Android users were impacted. Early signs show the spyware campaign was active for at least three months, with attackers chaining vulnerabilities across WhatsApp and operating system components.
Experts described this campaign as an “advanced spyware operation” aimed at a select group of individuals, making it more dangerous for civil society and human rights defenders.
Urgent Updates and Precautions
Meta has issued emergency patches across multiple platforms:
- WhatsApp for iOS (before v2.25.21.73)
- WhatsApp Business for iOS (before v2.25.21.78)
- WhatsApp for Mac (before v2.25.21.78)
Users are strongly urged to update their apps immediately. Security experts also recommend that suspected victims perform a factory reset and ensure all OS updates are installed.
Cybersecurity experts always advise to keep your apps updated. For journalists, activists, and other high-risk groups, the stakes are much higher. These attacks threaten not just privacy but also freedom of speech and global human rights.
Luckily, WhatsApp was quick to roll out patched to resolve the exploit. However, if these ads get more sophisticated, there would require even more pre-emptive measure to curb phone malware.