iPhone users, be sure to update your WhatsApp right away.
Meta-owned WhatsApp has fixed a major security bug in its iOS and Mac apps, which was being used to hack Apple devices. It targeted specific users in a stealthy way. The bug is tracked as CVE-2025-5517, according to WhatsApp.
A number of WhatsApp users have received an alert indicating they could be affected by a “zero-click” hack that has been happening for the past three months.
The bug was working with another Apple flaw, labelled as CVE-2025-43300, WhatsApp said on Friday.
Apple called the attack “extremely sophisticated” and noted that it was aimed at certain individuals only, according to a report by US technology news platform TechCrunch. WhatsApp confirmed that dozens of users were hit due to the bug and the issue has now been fixed.
Donncha Ó Cearbhaill, who heads Amnesty International's Security Lab, called the attack an “advanced spyware campaign” on X. He said it used “zero-click” flaws to silently target users since late May, needing no user interaction to compromise the device.
“New zero-click exploit used to hack WhatsApp users. WhatsApp has just sent out a round of threat notifications to individuals they believe were targeted by an advanced spyware campaign in the past 90 days. Seek out expert help if you have received this alert,” Cearbhaill's X post read.
"Ensure that your WhatsApp app is up to date," Cearbhaill added.
🚨 BREAKING: New zero-click exploit used to hack WhatsApp users.
WhatsApp has just sent out a round of threat notifications to individuals they believe where targeted by an advanced spyware campaign in past 90 days.
Seek out expert help if you have received this alert pic.twitter.com/i4cHLsiNOrThe two bugs were being used together to send a malicious exploit via WhatsApp, allowing attackers to steal data from Apple devices. According to Ó Cearbhaill, the attack could fully compromise a device and access messages and other data. It's still unknown who carried out the attacks or which spyware vendor is responsible, the TechCrunch report added.
Meta spokesperson Margarita Franklin told TechCrunch that the flaw was patched “a few weeks ago.” She confirmed WhatsApp sent fewer than 200 alerts to affected users. The company found the issue and moved to fix it quickly.
When asked, she did not name who was behind the attack or give any details on any spyware vendor. This is not the first time WhatsApp has encountered such an incident.
In May, a US court ordered NSO Group to pay WhatsApp $167 million for hacking over 1,400 users' devices in a 2019 campaign. Earlier this year, WhatsApp blocked a spyware attack targeting about 90 users in Italy, including journalists and civil society members. The Italian government had denied any role in the incident.
Watch LIVE TV, Get Stock Market Updates, Top Business, IPO and Latest News on NDTV Profit.
