Critical WhatsApp Bug Lets Hackers Push Spyware to Phones

A newly discovered flaw in WhatsApp is being actively exploited in cyberattacks, prompting urgent warnings from U.S. cybersecurity officials and Apple. The issue has already been used in targeted “zero-click” attacks, where victims don’t need to do anything—like clicking a link—for their device to be compromised.

What the Vulnerability Does

The flaw, tracked as CVE-2025-55177, arises from the way WhatsApp manages its Linked Devices feature. In simple terms, the app does not always verify permissions correctly, allowing attackers to push malicious synchronization messages. This lets a victim’s device process harmful content from an attacker’s chosen web address.

Once abused, this weakness could serve as a stepping stone for broader attacks. Hackers could steal data, install spyware, or take control of parts of the device. CISA, the U.S. Cybersecurity and Infrastructure Security Agency, has already added this bug to its “Known Exploited Vulnerabilities” list, a sign that it is considered both serious and urgent.

Targeted Attacks and Apple’s Role

So far, fewer than 200 people have been directly affected, according to Meta, WhatsApp’s parent company. The victims appear to include journalists, activists, and other public figures who are often targets of spyware campaigns. Investigators say Android devices may also have been targeted, though much of the focus has been on iPhones.

Attackers combined the WhatsApp bug with a previously patched Apple flaw (CVE-2025-43300). That bug allowed malicious image files to corrupt memory and gain control over the device. Apple released a fix for iOS, iPadOS, and macOS on August 20, but unpatched devices remain exposed. By linking the two flaws, attackers were able to mount sophisticated, zero-click attacks that required no interaction from the victim.

How to Stay Protected

Meta has released updates for WhatsApp on iOS, WhatsApp Business for iOS, and WhatsApp for Mac that close the loophole. CISA has given U.S. government agencies until September 23 to apply the fix and warned that the flaw could be repurposed for wider campaigns, such as phishing or malware delivery.

For everyday users, updating to the latest version of WhatsApp and ensuring iOS or Android devices are running the newest system update is the most effective protection. High-risk individuals—such as journalists or human rights defenders—may want to take extra steps, such as enabling Lockdown Mode for iPhone or Advanced Protection for Android.

This incident is another reminder that messaging apps and smartphones are prime targets for cybercriminals. Because some attacks require no action from the victim, staying current with security updates is critical. Keeping apps and operating systems patched remains the simplest and most powerful defense against spyware and other advanced threats.