A zero-day vulnerability in WhatsApp has been exploited alongside an Apple iOS flaw in targeted zero-click attacks against fewer than 200 people worldwide, raising concerns of a potential spyware campaign.

Tracked as CVE-2025-55177, the WhatsApp flaw stems from “incomplete authorization of linked device synchronization messages,” according to the company’s advisory. It could “allow an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.” WhatsApp assessed that “this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.”

Apple’s bug, an out-of-bounds write issue in its ImageIO framework, was patched on August 20. The company said, “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.” The flaw affected iOS, iPadOS, and macOS, and could be triggered by malicious image files, leading to memory corruption.

Meta confirmed it sent in-app threat notifications to fewer than 200 affected users. A spokesperson told Dark Reading that “as always, we encourage everyone to keep their apps and devices up to date and take advantage of WhatsApp’s additional privacy and security features.” Amnesty International added that “early indications are that the WhatsApp attack is impacting both iPhone and Android users, civil society individuals among them,” noting an ongoing investigation.

Both companies have issued fixes. WhatsApp patched CVE-2025-55177 in iOS version 2.25.21.73, Business for iOS version 2.25.21.78, and Mac version 2.25.21.78, while Apple rolled out updates across its supported operating systems. The U.S. Cybersecurity and Infrastructure Security Agency placed the WhatsApp bug on its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by September 23.