Security experts are urging all iPhone users to update WhatsApp immediately after discovering a dangerous cyberattack that can infect devices without any user interaction. The attack exploited a zero-day vulnerability known as CVE-2025-55177, which was combined with a separate Apple vulnerability to target specific users with spyware.
What Happened in This Attack
Apple described this as an “extremely sophisticated attack” when they released emergency updates earlier this month. The security breach works through what experts call a “zero-click” method, meaning victims don’t need to open any suspicious links or files.
The WhatsApp vulnerability allowed attackers to trick victim devices into fetching and processing malicious content from attacker-controlled websites. The Apple vulnerability then enabled attackers to use that malicious payload to achieve remote code execution on the device.
Key Facts About the Security Threat
Here are the important details every iPhone user should know:
- Limited Impact: Meta confirmed it sent threat notifications to fewer than 200 affected users
- Vulnerability Score: CVE-2025-55177 has a CVSS score of 8.0, indicating high severity
- Target Devices: The attack specifically targeted iPhone and Mac users
- Attack Method: The bug “could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.”
How the Attack Works
The attack exploited a chain of vulnerabilities to gain access to target devices, with the initial entry point being through WhatsApp on iOS and macOS. The WhatsApp vulnerability existed in the way the app handled linked device synchronization messages.
This means hackers could potentially access your phone without you clicking anything or even knowing an attack was happening.
What You Need to Do Right Now
Immediate Action Required:
- Update WhatsApp to the latest version through the App Store
- Check for any iOS updates and install them
- Review your WhatsApp privacy settings
- Be cautious about joining group chats from unknown contacts
WhatsApp is also rolling out a new feature to protect users from group chat scams that could target bank accounts, displaying a “safety overview” before users can view messages from unknown contacts.
Why This Attack is So Dangerous
Security experts from Amnesty International’s Security Lab called this an “advanced spyware campaign.” Zero-click attacks are particularly concerning because they require no user action, making them nearly impossible to detect without proper security measures.
The timing of this discovery is crucial. WhatsApp stated in an advisory that this previously unknown bug “may have been exploited in a sophisticated attack.” This suggests the vulnerability was actively used by hackers before it was discovered and fixed.
Stay Protected
While this specific vulnerability has been patched, it serves as a reminder about mobile security. Always keep your apps updated, enable automatic updates when possible, and be cautious about suspicious messages or unexpected group invitations.
Cybersecurity agencies worldwide, including Qatar’s National Cybersecurity Agency, have issued high-level security alerts urging WhatsApp users to immediately update their apps.
The good news is that internal researchers on the WhatsApp Security Team discovered and reported the bug, allowing for a quick fix. However, users must take action to install the update to stay protected.
