WhatsApp has issued an urgent security alert warning iPhone users to update their apps by installing the latest WhatsApp security update after uncovering a highly sophisticated cyberattack that exploited previously unknown vulnerabilities.
The Meta-owned messaging platform confirmed that attackers leveraged a flaw known as CVE-2025-55177, which allowed malicious actors to send harmful content disguised as normal links. The exploit, combined with another Apple operating system vulnerability (CVE-2025-43300), enabled attackers to compromise targeted devices and access sensitive data, including messages, without the victim’s interaction.
Zero-Click Attack Raises Concerns
Unlike typical phishing scams that require users to click or download suspicious files, this attack was classified as a “zero-click” exploit. That means attackers could deliver spyware without the user opening the malicious link. This reinforces the urgency of the WhatsApp security update for all affected devices.
According to cybersecurity experts, including Donncha Ó Cearbhaill of Amnesty International, the campaign targeted a limited but concerning number of users, with the spyware active over a three-month period. Victims received malicious WhatsApp messages that silently infected devices by exploiting OS-level weaknesses.
“The attack combined app-level and operating system vulnerabilities, allowing full compromise of affected devices,” WhatsApp’s advisory explained. Once infected, attackers could access personal data, monitor communications, and potentially gain broader control of the phone.
WhatsApp and Experts Recommend Urgent Updates
WhatsApp emphasized that iOS and macOS devices were the primary focus of this campaign, though early reports suggest that some Android users may also have been affected. To mitigate risks, the company urged users to immediately install the WhatsApp security update and update their operating systems.
The recommended versions are:
WhatsApp iOS v2.25.21.73 or later
WhatsApp Mac v2.25.21.78 or later
In addition, users were advised to enable iOS Lockdown Mode or Android Advanced Protection Mode, both designed to protect against advanced spyware campaigns.
For users who may have been specifically targeted, WhatsApp issued direct notifications advising a full factory reset to remove potential traces of infection after applying the WhatsApp security update. While such steps are inconvenient, experts highlight that they are often necessary when dealing with spyware of this sophistication.
Broader Cybersecurity Implications
This incident underscores the evolving complexity of mobile threats. Cybercriminals and surveillance actors are increasingly turning to zero-day vulnerabilities—unknown flaws not yet patched by vendors—to gain silent access to devices.
The fact that the attack required no user interaction highlights a critical shift in tactics. “Traditional advice like avoiding suspicious links is not always enough anymore,” cybersecurity analysts warn. Instead, staying current with patches and using advanced security settings has become essential, including promptly installing the WhatsApp security update.
The campaign also highlights the risks posed to high-value targets, including activists, journalists, and business leaders. However, experts caution that as such exploits become more common, everyday users may also be at risk.
Rising Wave of Cyber Threats
The WhatsApp advisory follows a series of recent alerts across the cybersecurity landscape. The FBI recently warned that Scattered Spider, a cybercriminal group previously linked to high-profile breaches in insurance and retail, is now expanding its attacks into the airline industry. The group relies heavily on social engineering, impersonating employees to gain internal access.
Together, these developments reflect a wider surge in global cybercrime activity. Sophisticated spyware campaigns, often operating silently, represent one of the most serious challenges for both technology providers and users.
For businesses and individuals alike, the takeaway is clear: regular updates (including the WhatsApp security update), stronger device protections, and proactive security habits are now non-negotiable.
Also Read: Microsoft Unveils Azure Integrated HSM to Counter $10 Trillion Cybercrime Threat
