WhatsApp just fixed a nightmare hack for iPhones and Macs

WhatsApp is the most used messaging platform out there with the application being utilized across both and professional environments. This is also what makes it a very lucrative and attractive attack surface for malicious actors. Now, Meta has patched a rather severe flaw in WhatsApp that was allowing hackers to steal data from targeted users.

In a brief security advisory, Meta has announced that it has patched the CVE-2025-5517 vulnerability which was happening due to incomplete authorization of "linked device synchronization messages". Interestingly, hackers could chain another vulnerability, CVE-2025-43300, to execute the processing of content from an arbitrary URL without any interaction from the user, making it a zero-click attack.

Interestingly, the latter security flaw is actually related to Apple's core image library, according to Amnesty International Security Lab's Donncha Ó Cearbhaill on X (formerly Twitter). This OS-level flaw was recently patched by Apple but in its previous state, it allowed malicious actors to infiltrate devices through apps other than WhatsApp too.

Meta has reportedly reached out to potentially impacted users to let them know that they may have received a message which has compromised their device due to a combination of vulnerabilities. The company is urging users to factory reset their handsets just in case, despite the bug being fixed. This is because an exploit could still be present in the device.

The scale of the attack is unclear but we know that it has been happening for at least the past three months. Apparently, the exploitation process was quite sophisticated, so it's possible that it was primarily after high-value targets, but there's no way to know for sure right now. WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 are unprotected so make sure that you upgrade these versions as soon as possible.