WhatsApp just patched a critical zero-click vulnerability that spyware vendors exploited to silently hack Apple devices without user interaction. The Meta-owned platform sent breach notifications to fewer than 200 targeted users, marking the latest escalation in the commercial spyware arms race threatening journalists, activists, and high-profile individuals worldwide.
WhatsApp has become ground zero for the most sophisticated cyberattacks on the planet, and Friday's security advisory reveals just how precarious our digital communications have become. The Meta-owned messaging giant disclosed that it patched a critical vulnerability that spyware vendors weaponized to silently infiltrate Apple devices in what security researchers are calling an "extremely sophisticated" zero-click campaign.
The attack chain combined two critical flaws: WhatsApp's CVE-2025-55177 and Apple's CVE-2025-43300, which Apple patched last week. Together, these vulnerabilities created a perfect storm that allowed attackers to deliver malicious exploits through WhatsApp without requiring any victim interaction—no clicking links, no downloading files, no warning signs whatsoever.
Donncha Ó Cearbhaill from Amnesty International's Security Lab first exposed the campaign's scope, revealing that the attacks ran for approximately 90 days starting in late May. "This was an advanced spyware campaign targeting specific individuals," Ó Cearbhaill posted on X, sharing screenshots of the breach notifications WhatsApp sent to victims.
Meta spokesperson Margarita Franklin confirmed to TechCrunch that the company detected and patched the vulnerability "a few weeks ago," sending notifications to "less than 200" affected users. The threat notifications bluntly warned victims: "This attack was able to compromise your device and the data it contains, including messages." However, Meta declined to identify the spyware vendor behind the campaign or provide attribution details.
The timing couldn't be more significant. This disclosure comes just months after WhatsApp secured a landmark $167 million judgment against Israeli spyware maker NSO Group for its 2019 Pegasus campaign that compromised over 1,400 WhatsApp users. That legal victory was supposed to signal a new era of accountability for commercial surveillance vendors.
