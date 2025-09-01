Meta Platforms-owned WhatsApp has fixed a security vulnerability affecting its iOS and macOS messaging clients targeted in zero-day attacks.

According to a company statement, the zero-click flaw impacted WhatsApp iOS clients before version 2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac V2.25.21.78.

“Incomplete authorisation of linked device synchronisation messages for WhatsApp … could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device,” it said.

“We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms, may have been exploited in a sophisticated attack against specific targeted users.”

Security Lab head at Amnesty International, Donncha Ó Cearbhaill, said WhatsApp has only just warned some users that they had been targeted in an advanced spyware campaign in the past three months.

“We’ve made changes to prevent this specific attack from occurring through WhatsApp,” it said in alerts sent to impacted users.

“However, your device’s operating system could remain compromised by the malware or be targeted in other ways.”

According to Cearbhaill, WhatsApp recommended that impacted users perform a factory reset on their devices to keep their operating systems and software up to date.

The OS-level vulnerability on Apple platforms is being tracked as CVE-2025-43300, and the company released emergency updates earlier this month to patch the zero-day flaw.

Bleeping Computer reported that the Apple flaw had been exploited in an “extremely sophisticated attack.”

The vulnerability was caused by an out-of-bounds write weakness identified by Apple security researchers in the Image I/O framework that enabled applications to read and write most image formats.

Out-of-bounds writes result from malicious actors successfully exploiting vulnerabilities by supplying input to a program and causing it to write data outside the allocated memory buffer.

This can lead to the program crashing, corrupting data, or enabling remote code execution.

WhatsApp’s patching of this latest vulnerability comes after it fixed another zero-day flaw in March 2025. The flaw was exploited to install Paragon’s Graphite spyware.

“WhatsApp has disrupted a spyware campaign by Paragon that targeted a number of users, including journalists and members of civil society,” a spokesperson told Bleeping Computer.

“We’ve reached out directly to people who we believe were affected.”