Overview

WhatsApp has addressed a security vulnerability in its messaging apps for Apple iOS and macOS that it said may have been exploited in the wild in conjunction with a recently disclosed Apple flaw (CVE-2025-43300) in targeted zero-day attacks.

The vulnerability, CVE-2025-55177 (CVSS score: High – 8.0), relates to a case of insufficient authorization of linked device synchronization messages. Essentially giving an attacker the ability to bypass authentication checks before linking with another device using WhatsApp. The most common tactic using this exploit, is to trigger loading content from an arbitrary URL.

WhatsApp has claimed to have notified less than 200 individuals that they believe were targeted by an advanced spyware compaign in the past 90 days using this vulnerability. It’s currently not known who, or which spyware vendor, is behind the attacks.

 

Affected Devices

WhatsApp for iOS: Prior to versions 2.25.21.73 (Patch released on July 28, 2025)

WhatsApp Business for iOS: Prior to versions 2.25.21.78 (Patch released August 4, 2025)

WhatsApp Desktop for Mac: Prior to versions 2.25.21.78 (Patch released August 4, 2025)

 

Recommended Remediations

ctrl:cyber strongly recommends to:

  • Update affected devices to the latest version.

Source: Meta
Source: National Vulnerability Database
Source: TheHackerNews