Particle.news
Download on the App Store
13 ARTICLES
·
4h ago

WhatsApp Patches Zero-Click Exploit Chained to Apple ImageIO Zero-Day, Notifies Under 200 Targets

Researchers describe a 90-day spyware operation using a WhatsApp authorization bypass paired with Apple’s ImageIO flaw to silently take over select devices.

Whatsapp logo is seen in this illustration taken, August 22, 2022. REUTERS/Dado Ruvic/Illustration/File Photo
Image
Image
Image

Overview

  • Meta says CVE-2025-55177 allowed processing of content from arbitrary URLs via linked device sync on WhatsApp for iOS and Mac, now fixed in iOS v2.25.21.73 and later, Business iOS v2.25.21.78, and Mac v2.25.21.78.
  • Apple previously patched CVE-2025-43300 in the ImageIO framework after confirming exploitation in an extremely sophisticated attack against specific individuals.
  • WhatsApp sent fewer than 200 threat notifications, and Amnesty’s Donncha Ó Cearbhaill characterized the linked flaws as a zero-click spyware campaign active since late May.
  • Early findings indicate iPhone and some Android users were targeted, and the Apple ImageIO vulnerability in a core library could be leveraged through apps beyond WhatsApp.
  • Attribution remains unconfirmed, and notified users are urged to update devices and apps, consider a full factory reset, and seek expert assistance for forensic checks.