Campaign Vulnerability

Targeted spyware chain across WhatsApp and Apple Image I/O

Updated 16.09.2025 15:16

Case score 56

Case score 56 Members 2 Latest activity 16.09.2025 15:16 Active exploitation Patch available CVSS: 8.0 High

Active exploitation Patch available CVSS: 8.0 High

Members 2 First seen 29.08.2025 19:31 Last seen 16.09.2025 15:16 Updated 16.09.2025 15:16

Overview

Targeted spyware activity used a **WhatsApp** zero-click flaw and an **Apple** Image I/O vulnerability to reach specific users with a silent delivery path. WhatsApp tied **CVE-2025-55177** to **CVE-2025-43300** in targeted zero-day attacks, and Apple already had emergency fixes in place for the platform flaw. WhatsApp sent threat notifications and told potentially impacted users to factory reset devices and keep software current. Available evidence confirms patching and warning activity, but not the exact operator identity or the full number of affected devices.

Key facts

A targeted spyware operation chained **CVE-2025-55177** in **WhatsApp** with **CVE-2025-43300** in **Apple** software against specific individuals.
**CVE-2025-55177** was a zero-click authorization flaw in WhatsApp iOS and Mac clients that could trigger processing of content from an arbitrary URL.
**CVE-2025-43300** was an Image I/O out-of-bounds write in **Apple** software, and Apple patched it on August 20 with backports for older iPhones and iPads.
WhatsApp sent threat notifications to potentially impacted users and advised a device factory reset plus current operating-system and software updates.
The available evidence does not confirm the exact operator or the full number of affected users.

Malware context

1 families

Signals

5 derived

Exploitation

Exploitation Active exploitation CVSS 8.0 High

CVEs/products

CVE CVE

Remediation

Remediation Patch available

Member happenings

2 related

Campaign WhatsApp spyware campaign chaining CVE-2025-55177 and CVE-2025-43300

Updated 16.09.2025 15:16 Lead Contribution 56

Campaign Active Objective Espionage

A **targeted spyware campaign** hit **specific WhatsApp users**, increasing the risk of covert device surveillance. The operation chained **CVE-2025-55177** in WhatsApp with **CVE-2025-43300** in Apple software, making the attack path more effective against high-value devices. The activity was described as **extremely sophisticated** and focused on a **limited cohort** rather than broad consumer targeting. The timeframe points to **late August to September 2025**, and the same exploit chain was later linked to attacks against **Samsung Android devices**.

View happening

Vulnerability WhatsApp iOS and Mac zero-click authorization exploited in zero-day attacks security flaw (multiple vulnerabilities)

Updated 29.08.2025 19:31 Context

Exploitation Active Exploitation CVSS 8.0 High Patch Patch Available

**WhatsApp** patched **CVE-2025-55177**, a **zero-click authorization flaw** in its **iOS and Mac clients** that was exploited in **targeted zero-day attacks**. The bug could let an unrelated user trigger processing of content from an **arbitrary URL** on a target device. Affected versions include **WhatsApp for iOS prior to 2.25.21.73**, **WhatsApp Business for iOS v2.25.21.78**, and **WhatsApp for Mac v2.25.21.78**. WhatsApp tied the flaw to **incomplete authorization of linked device synchronization messages** and said it may have been used with **CVE-2025-43300** on Apple platforms.

View happening