· Cybersecurity · 3 min read
WhatsApp Patches Zero-Click Exploit on iOS and macOS
WhatsApp has urgently addressed a critical security vulnerability, CVE-2025-55177, in its messaging apps for Apple iOS and macOS. The company stated that this flaw may have been actively exploited in the wild as part of sophisticated, targeted zero-day attacks. The vulnerability, which carries a CVSS score of 8.0, relates to insufficient authorization of linked device synchronization messages.
Discovered by WhatsApp’s internal security team, the issue could have allowed an attacker to trigger the processing of content from an arbitrary URL on a target’s device. What’s more alarming is the assessment that this vulnerability was likely chained with a recently disclosed Apple zero-day, CVE-2025-43300. This combination creates a “zero-click” attack vector, meaning a device could be compromised without any user interaction whatsoever. Users are strongly advised to update their apps immediately to the latest versions to protect against this advanced spyware threat.
The Vulnerability: CVE-2025-55177
The core issue, tracked as CVE-2025-55177 (CVSS score: 8.0), is a flaw related to insufficient authorization of linked device synchronization messages. The bug was discovered and reported by internal researchers on the WhatsApp Security Team.
In a security advisory, the Meta-owned company explained that the issue “could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.”
The flaw affects the following versions:
- WhatsApp for iOS prior to version 2.25.21.73
- WhatsApp Business for iOS prior to version 2.25.21.78
- WhatsApp for Mac prior to version 2.25.21.78
The Zero-Click Exploit Chain
WhatsApp also assessed that this shortcoming may have been chained with CVE-2025-43300, a significant vulnerability affecting iOS, iPadOS, and macOS.
Apple disclosed CVE-2025-43300 just last week, noting it had been weaponized in an “extremely sophisticated attack against specific targeted individuals.” That vulnerability is an out-of-bounds write issue in the ImageIO framework, which could result in memory corruption when processing a malicious image.
Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International, confirmed that WhatsApp has notified an unspecified number of individuals that they believe were targeted by an advanced spyware campaign in the past 90 days using CVE-2025-55177. Ó Cearbhaill described the combination of the two vulnerabilities as a “zero-click” attack, meaning it does not require any user interaction, such as clicking a link, to compromise their device.
“Early indications are that the WhatsApp attack is impacting both iPhone and Android users, civil society individuals among them,” Ó Cearbhaill stated on social media. “Government spyware continues to pose a threat to journalists and human rights defenders.”
In the alert sent to targeted individuals, WhatsApp has also recommended performing a full device factory reset and keeping their operating system and the WhatsApp app up-to-date for optimal protection. It’s currently not known who, or which spyware vendor, is behind these attacks.
Share this post
News Feed
Get the Hottest Cybersecurity News Delivered to You!
Thank you!
You have successfully joined our subscriber list.
