WhatsApp has patched a critical zero-click vulnerability that was actively exploited by spyware operators to target iPhone users. The flaw allowed attackers to compromise devices without requiring any interaction, making it one of the most severe forms of mobile security threats. Security researchers warn that such zero-click exploits are highly valuable to surveillance groups because they leave little trace and can be used to bypass built-in defenses.
According to a report from TechCrunch, the vulnerability was being used in targeted attacks against Apple users, although Meta, WhatsApp’s parent company, has not disclosed the exact number of people affected. The issue was uncovered after users reported suspicious activity that linked back to Pegasus-style spyware tools designed to extract data, track messages, and monitor device activity.
The exploit chain relied on two weaknesses: one in WhatsApp itself and another in Apple’s operating system. WhatsApp has released updated versions of its iOS and macOS apps to fix how it handled specially crafted synchronization messages. At the same time, Apple issued emergency security updates including iOS 18.6.2, iPadOS 18.6.2, iPadOS 17.7.10, macOS Sonoma 14.7.2, macOS Ventura 13.7.3, and patched builds of macOS Sequoia 15.1 beta to address a zero-day bug in the ImageIO framework. This flaw could be used to corrupt memory when processing malicious images and was confirmed to have been exploited in the wild. Together, these vulnerabilities enabled a powerful zero-click attack that required no user interaction once the malicious message was received.
Zero-click attacks like this are rare but extremely dangerous because they can infect devices even when users are careful about their digital behavior. This latest case highlights the increasing use of advanced spyware against individuals such as journalists, activists, and political figures. Apple has previously introduced protective features like Lockdown Mode, but the evolving nature of these exploits shows that even hardened systems remain vulnerable.
For users, the most important step is to apply both fixes. That means updating WhatsApp to the latest version from the App Store and installing Apple’s newest security update (iOS 18.6.2, iPadOS 18.6.2, or the respective macOS patch). Keeping apps and operating systems current remains the most effective defense against these kinds of threats. For additional protection, users can explore iOS security features that strengthen defenses against spyware and related exploits.
