WhatsApp addresses security vulnerabilities in messaging apps on Apple iOS and MacO, and could have been exploited in the wild along with the recently disclosed Apple flaws in a targeted zero-day attack.
The vulnerability, CVE-2025-55177 (CVSS score: 8.0), is related to insufficient approval of linked device sync messages. It is believed that internal researchers on the WhatsApp Security team discovered and evaluated the bug.
The meta-owned company said the issue “may have allowed unrelated users to trigger content processing from any URL on the target device.”
The defect affects the next version –
whatsapp for version 2.25.21.73 on iOS version 2.25.21.78 WhatsApp Business for iOS version 2.25.21.78, and WhatsApp for Mac version 2.25.21.78
We also evaluated that the flaws could have been chained in CVE-2025-43300, a vulnerability affecting iOS, iPados, and MacOS as part of a sophisticated attack on a particular target user.
CVE-2025-43300 was disclosed last week by Apple as weaponized by “a very sophisticated attack on a particular targeted individual.”
The vulnerability in question is out of scope for writing the vulnerability to Imageio Framework, which can cause memory corruption when processing malicious images.
Donnaó Cearbhaill, head of the security lab at Amnesty International, said WhatsApp has notified an unspecified number of individuals who believe they have been targeted by advanced spyware campaigns in the past 90 days using CVE-2025-55177.
In alerts sent to targeted individuals, WhatsApp also recommends performing a full device factory reset and keeping your operating system and WhatsApp app up to date to keep you up to date. It is currently unknown who or which spyware vendor is behind the attack.
Cearbhaill described the vulnerability pair as a “zero click” attack. This means that no user interaction is required, such as by clicking a link or breaching a device.
“An early indication is that WhatsApp attacks are affecting both iPhone and Android users. “Government spyware continues to pose threats to journalists and human rights advocates.”
Source link
