WhatsApp urges iPhone users to update after 'extremely sophisticated' targeted attack uncovered
Company warns a newly disclosed vulnerability, paired with an Apple OS flaw, may have been used in a precision, possibly zero-click, compromise of select devices
WhatsApp on Monday urged iPhone users to update the messaging app immediately after disclosing a vulnerability it said may have been exploited in a sophisticated cyberattack against specific individuals.
In an advisory, WhatsApp identified the issue as CVE-2025-55177 and said it “assess[es] that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.” The company said its investigation indicates a malicious message may have been sent through WhatsApp and, when combined with other vulnerabilities in the device operating system, could have compromised the device and the data it contains, including messages.
WhatsApp described CVE-2025-55177 as a flaw that “could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.” Security firms said that method can be used to deliver malware or spyware concealed as benign content or links. Bitdefender summarized the practical risk as an attacker’s ability to send malware or spyware under the guise of a harmless-looking link.
Amnesty International researcher Donncha Ó Cearbhaill said on the social platform X that the flaw appeared to be a “zero-click” bug, which security experts use to describe vulnerabilities that can be exploited without the target taking any action, such as clicking a link. WhatsApp said its alerts have been sent to users it believes may have been affected.
WhatsApp did not disclose how many users were targeted or compromised. The company urged all iPhone users to update to the latest version of WhatsApp available in the iOS App Store and to keep their Apple operating system updated, saying that installing the patches released by WhatsApp and Apple will mitigate the issue.
The advisory framed the incident as targeted and precision-based rather than a broad, indiscriminate campaign. WhatsApp’s parent company Meta has previously warned about targeted attacks that combine messaging-app flaws with operating-system vulnerabilities to gain access to devices; security researchers have noted that such chains have been used in high-profile spyware operations in recent years.
WhatsApp’s public notice follows standard incident-response practice of releasing fixes and urging users to apply updates promptly. The company said it has taken steps to address the vulnerability and is continuing to investigate. Apple and WhatsApp did not immediately provide additional public details about attribution or the attackers’ identity.
Security vendors and researchers recommended that users check for in-app warnings from WhatsApp indicating potential compromise, install the latest updates to WhatsApp and iOS, and avoid interacting with unexpected links or messages even from known contacts until patches are applied. Because the advisory describes a targeted exploitation that could occur without user interaction, the prompt application of updates is the primary recommended defense.
The disclosure underscores ongoing security challenges for mobile platforms, where messaging apps and operating-system components can be combined by attackers to surreptitiously extract data. WhatsApp said that the update addressing CVE-2025-55177 is available now for iPhone users and reiterated that it will notify users directly if it believes their accounts or devices were compromised.
Users seeking more information should consult official WhatsApp security advisories and Apple’s security updates pages for details on patched versions and installation instructions.