Hackers chained two vulnerabilities to launch an advanced spyware campaign. One flaw sat inside WhatsApp (CVE-2025-55177), while the other lived in Apple’s iOS and macOS (CVE-2025-43300). Together, they allowed attackers to break into Apple devices without any action from the victim.
This type of “zero-click” exploit doesn’t require users to click a link or open a file. Instead, the malware silently entered devices through WhatsApp. Once inside, it granted attackers access to messages and personal data. Amnesty International’s Security Lab reported the spyware operated for about 90 days, beginning in late May.
Who Was Targeted
Meta confirmed fewer than 200 WhatsApp users received notifications warning they had been targeted. While the company avoided blaming a specific spyware vendor or government, experts described it as an “advanced spyware campaign.” Victims likely included journalists, activists, and other high-risk individuals.
Donncha Ó Cearbhaill of Amnesty’s Security Lab emphasized that attackers only succeeded because both flaws aligned. Installing just one patch left users exposed, showing how dangerous chained exploits can be.
Apple and Meta’s Response
Apple patched its systems on August 20, while Meta fixed WhatsApp a few weeks later. The companies stressed that devices are now secure—so long as users install the latest updates. Without both patches, attackers could still slip through the cracks.
Why It Matters
Zero-click exploits are among the most dangerous digital threats. They don’t rely on user mistakes and can compromise even cautious individuals. Apple often highlights its security-first ecosystem, but this incident shows that determined surveillance operators can still find ways in.
The key lesson for users is clear: update quickly. While spyware campaigns are usually aimed at select groups, anyone who delays updating remains at risk. For activists, journalists, or dissidents, those lost days before a patch can mean stolen messages, photos, or sensitive files.
