Critical WhatsApp Zero-Click Vulnerability Exploited in Sophisticated Spyware Campaign - A Deeper Dive

blog

Remember NSO Group? The spyware company that got slapped with a $167 million judgment for hacking 1,400 WhatsApp users back in 2019? Well, someone didn’t get the memo.

Last week, WhatsApp quietly pushed an emergency update to patch CVE-2025-55177 – and sent threat notifications to fewer than 200 users with a chilling message: “We believe attackers may have targeted you with advanced spyware.”

This wasn’t your typically phishing campaign. This was a zero-click attack so sophisticated it makes you really want to delete all your “secure” apps and revert to carrier pigeons.

The Two-Punch Combo

The attackers pulled off something truly diabolical: they chained two separate zero-day exploits together like a digital one-two punch.

First, they exploited a flaw in WhatsApp’s device sync system (CVE-2025-55177). This vulnerability caused the app to not fully check if a device was allowed to process certain sync messages. Because of this, an attacker could trick the app into loading data from a website link (URL) of their choice on the victim’s device, essentially tricking your iPhone into fetching content from their server. Then they delivered a poisoned image, yes you heard that right, and image, designed to exploit Apple’s ImageIO framework (CVE-2025-43300) – a bug Apple described as being used in “extremely sophisticated attacks.”

No clicking required. No suspicious links to avoid. Your phone just gets compromised while you’re scrolling through your messages.

The Usual Suspects

While WhatsApp won’t name names, the attack has all the hallmarks of the commercial spyware industry that’s been having a banner year.

Just this February, WhatsApp exposed another campaign targeting 90 Italian journalists using Paragon Solutions’ “Graphite” spyware. The backlash was so severe that Paragon actually fired Italy as a customer – though that’s like kicking one person out of a packed nightclub.

This pattern is depressingly familiar, journalists investigating corruption, human rights lawyers, activists exposing abuse. If you’re shining a light where powerful people prefer darkness, congratulations, you might be worth a zero-day.

The 90-Day Hunt

This wasn’t a hit-and-run attack by any means. The campaign ran for three months, from late May through August, targeting civil society members with surgical precision. Donncha Ó Cearbhaill from Amnesty International’s Security Lab called it an “advanced spyware campaign”, another way to put this is someone spent serious money to silence specific people.

The technical execution was elegant in its brutality. The vulnerability let attackers abuse WhatsApp’s multi-device feature, making your phone think it needed to sync with their malicious server. Your device was just doing its job. It had no idea it was downloading its own destruction.

Democracy’s Digital Siege

Here’s the thing that should terrify you as it gives me that paranoid feeling: this industry is booming. NSO Group’s quarter-billion-dollar judgment was supposed to be a deterrent, but it’s had the opposite effect it seems.

Citizen Lab researchers have documented Paragon’s spyware being deployed across multiple countries, targeting everyone from environmental activists to migration journalists. When ICE is reportedly using these tools for surveillance operations, the line between “law enforcement” and “digital authoritarianism” gets pretty blurry.

The Bigger Picture

The 200 people who got those threat notifications weren’t random targets, they were chosen because their voices are bigger than mine or yours. Silencing them silences all of us.

We’ve created a world where surveillance capabilities that would make totalitarian regimes jealous can be purchased off the shelf. Every time a journalist can’t communicate securely with sources, every time an activist hesitates before organizing, our freedom and privacy dies a little.

What Now?

If you’re thinking “I’m nobody special, why worry?” – you’re missing the point. These attacks succeed because they make everyone a little less free.

Update your apps. Support organizations fighting surveillance abuse. And remember: the next zero-click exploit isn’t a question of if, but when.

The spyware industry just proved they learned nothing from NSO Group’s expensive lesson. The question is: what will come from this incident, and will this only get worse?

Your WhatsApp is patched now. But the war for digital privacy has barely begun.