Unpacking the latest WhatsApp Zero-Click Exploit What is the zero-click exploit that targeted WhatsApp users?

WhatsApp last week disclosed that it had patched a serious security vulnerability that targeted its messaging apps on Apple iOS and macOS.

The company also disclosed that the vulnerability may have been exploited in a sophisticated attack against specific targeted users. WhatsApp said fewer than 200 users worldwide were affected by the hack.

Donncha O Cearbhaill, Amnesty's Security Lab's security head, reportedly said that unidentified members of civic groups were among those impacted. In a post, he also hinted that affected users were informed by WhatsApp about the attack.

"Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target's device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users," WhatsApp said on its website.

According to security researchers Entrepreneur India spoke to, both companies (Apple and WhatsApp) are already isolating risky components.

Apple has built "BlastDoor" for iMessage, and Lockdown Mode limits features attackers exploit. WhatsApp is hardening its media parsers. Long term, rewriting legacy code in safer languages and more aggressive sandboxing are key defenses against future zero-clicks.

Why do zero-click exploits raise alarm bells?

Technology companies are always a target for cybercriminals and attackers, and WhatsApp is no exception. Even though the instant messaging app boasts of robust security features, including end-to-end encryption, cyberattackers continue to look for different routes to target the platform. Among all kinds of attacks, a zero-click is one of the most dangerous.

Ritesh Bhatia, founder of V4WEB Cybersecurity, explains that the recent WhatsApp advisory is about a 'zero-click exploit', which is one of the most dangerous forms of cyberattack.

"Unlike phishing where you have to click a link, here you don't need to do anything at all—the attack works silently in the background. In this case, hackers combined a flaw in WhatsApp with another flaw in Apple's iOS to break into phones. That's called 'chaining vulnerabilities'—one weakness gets them in, the second gives them full control of the device," Bhatia told Entrepreneur India.

He further explained that spyware of this nature can do almost anything: read your messages, listen through your microphone, track your location, even watch you through the camera.

"The worrying part is that the victims, fewer than 200 worldwide, may never realise unless they are directly notified. Still, some warning signs could include unusual battery drain, higher data usage, the phone heating up, or random crashes," he added.

Anirudh Batra, a senior security researcher at CloudSEK, said that zero-click exploits are like the holy grail for attackers because it can work silently on fully updated devices. He also noted that the hack requires absolutely no action from the victim.

"…no clicking links, no opening attachments (that's what we were always told - Do not click any suspicious links on the internet from unknown sources)... But what if you get hacked without clicking anything malicious - that's probably a zero-click exploit). Your phone can be compromised just by receiving a message or call," he added.

Batra also broke it down into how the exploit actually works.

"Attackers rarely gain full control from a single vulnerability. With stronger security practices, apps are now built to limit the damage of any one flaw. So even if an app like WhatsApp is exploited, the attacker is usually confined within its walls.

To break out, hackers chain multiple bugs together — like stepping stones. In this case, the WhatsApp flaw gave them code execution inside the app but with restricted permissions. They then leveraged an iOS image-processing bug to escape WhatsApp's sandbox and reach the underlying operating system."

Reminiscent of Pegasus attack

The zero-click exploit and alleged targeting of select individuals reminds us of the Pegasus controversy a few years ago.

Developed by an Israeli company NSO Group, Pegasus is considered to be a highly intrusive spyware that is designed to covertly be installed on targeted smartphones. An investigation claimed that the spyware was being used by governments around the world to conduct surveillance on journalists, politicians and members of the civil society among others.

Like the latest zero-click exploit, Pegasus too targeted instant messaging apps like WhatsApp. This essentially means once installed an attacker can easily snoop and even extract data, turn on cameras and microphones without the owner ever finding out.

"The best protection is very simple: keep your apps and operating system updated. Updates close the holes hackers use. If you are notified that you were targeted, or if you strongly suspect compromise, back up your important data and do a factory reset. For high-risk users like journalists or activists, enabling iPhone's Lockdown Mode and keeping a clean, minimal setup is strongly advised," Bhatia advised.

It's worth noting that with advanced and commercially available you often won't see anything. It's designed to hide.

High-end iOS spyware aims to leave no visible trace, so there may be no symptoms. Possible (but unreliable) hints include unusual reboots, battery/data spikes, odd profiles/MDM entries, strange call UI behaviour, or unknown logs/containers.

"Conclusive checks typically require forensic analysis (e.g., Amnesty's MVT against an iTunes backup with relevant IOCs). Apple's Threat Notifications may also alert high-risk users, according to Batra.