WhatsApp just patched a critical zero-click vulnerability that spyware vendors exploited to silently hack Apple devices without user interaction. The Meta-owned platform sent breach notifications to fewer than 200 targeted users, marking the latest escalation in the commercial spyware arms race threatening journalists, activists, and high-profile individuals worldwide.
WhatsApp has become ground zero for the most sophisticated cyberattacks on the planet, and Friday's security advisory reveals just how precarious our digital communications have become. The Meta-owned messaging giant disclosed that it patched a critical vulnerability that spyware vendors weaponized to silently infiltrate Apple devices in what security researchers are calling an "extremely sophisticated" zero-click campaign.
The attack chain combined two critical flaws: WhatsApp's CVE-2025-55177 and Apple's CVE-2025-43300, which Apple patched last week. Together, these vulnerabilities created a perfect storm that allowed attackers to deliver malicious exploits through WhatsApp without requiring any victim interaction—no clicking links, no downloading files, no warning signs whatsoever.
Donncha Ó Cearbhaill from Amnesty International's Security Lab first exposed the campaign's scope, revealing that the attacks ran for approximately 90 days starting in late May. "This was an advanced spyware campaign targeting specific individuals," Ó Cearbhaill posted on X, sharing screenshots of the breach notifications WhatsApp sent to victims.
Meta spokesperson Margarita Franklin confirmed to TechCrunch that the company detected and patched the vulnerability "a few weeks ago," sending notifications to "less than 200" affected users. The threat notifications bluntly warned victims: "This attack was able to compromise your device and the data it contains, including messages." However, Meta declined to identify the spyware vendor behind the campaign or provide attribution details.
The timing couldn't be more significant. This disclosure comes just months after WhatsApp secured a landmark $167 million judgment against Israeli spyware maker NSO Group for its 2019 Pegasus campaign that compromised over 1,400 WhatsApp users. That legal victory was supposed to signal a new era of accountability for commercial surveillance vendors.
Yet the attacks keep evolving. Earlier this year, WhatsApp disrupted another spyware campaign targeting 90 users across Italy, including journalists and civil society members. That incident involved spyware from Paragon Solutions, which subsequently terminated its contract with the Italian government after the abuse came to light.
The latest campaign represents a technical escalation in the spyware arms race. Zero-click attacks are the gold standard of government surveillance because they leave minimal forensic traces and don't rely on social engineering tactics that might tip off sophisticated targets. The fact that attackers successfully chained together vulnerabilities across two major platforms—WhatsApp and iOS/macOS—demonstrates the resources and technical sophistication behind these operations.
For Apple, this marks another reminder that even its heavily fortified ecosystem remains vulnerable to state-sponsored threats. The company has invested heavily in lockdown modes and advanced threat detection, but the combination of zero-day vulnerabilities and sophisticated delivery mechanisms continues to challenge even the most security-conscious platforms.
The broader implications extend far beyond the immediate victims. Commercial spyware vendors continue to operate in a regulatory gray area, selling powerful hacking tools to governments with minimal oversight. Despite increased scrutiny from lawmakers and civil society groups, the industry shows no signs of slowing down—it's simply becoming more sophisticated and harder to detect.
What makes this case particularly concerning is the operational security displayed by the attackers. Running a 90-day campaign while avoiding detection by both Meta's security teams and Apple's threat intelligence systems requires significant resources and expertise. This level of sophistication suggests either a well-funded nation-state actor or a commercial spyware vendor operating at the highest tier of the surveillance industry.
The WhatsApp zero-click campaign exposes how commercially available spyware continues to evolve despite legal setbacks and public scrutiny. As Meta and Apple race to patch vulnerabilities, sophisticated adversaries are finding new ways to chain together exploits across platforms. For the broader tech industry, this incident underscores that even the most secure messaging platforms remain targets in an increasingly dangerous digital landscape where privacy and security are under constant assault from well-funded surveillance operations.
