CVE-2025-55177: WhatsApp zero-click chain on Apple platforms

CVE-2025-55177: WhatsApp zero-click chain on Apple platforms

Updated: 4 September 2025 • Source links at the end

Overview

CVE-2025-55177 is an incorrect authorization issue in WhatsApp’s linked-device synchronization flow. In affected releases, an unrelated user could trigger processing of content from an arbitrary URL on a target device. WhatsApp indicates the flaw was likely chained with an Apple ImageIO zero-day (CVE-2025-43300) in a targeted zero-click campaign against specific users. See the vendor advisory and NVD entry for versions: iOS < 2.25.21.73, WhatsApp Business for iOS < 2.25.21.78, and macOS < 2.25.21.78. (WhatsApp, NVD)

CISA KEV: The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2025-55177 to the Known Exploited Vulnerabilities catalog on 2 September 2025 (mitigation due date: 23 September 2025). (NVD notes KEV entry)

How it Works

WhatsApp supports linking secondary clients (desktop/web) to a primary device by exchanging authorization tokens and synchronization messages. CVE-2025-55177 stems from incomplete authorization when handling those linked-device sync messages, allowing an attacker with minimal prerequisites to coerce the app into fetching and processing content from attacker-controlled URLs. (WhatsApp advisory)

In observed attacks, the URL-delivered payload exploited Apple’s ImageIO out-of-bounds write bug (CVE-2025-43300) to achieve code execution with no user interaction (zero-click). Apple patched this on 20 August 2025 in iOS 18.6.2 / iPadOS 18.6.2 and corresponding macOS builds. (Apple advisory, NVD entry)

  • Bug class: Incorrect/Incomplete Authorization (CWE-863)
  • Delivery: Malicious linked-device sync → arbitrary URL processing
  • Execution: Chained with ImageIO memory corruption (CVE-2025-43300)
  • User action: None required (zero-click)

Impact & Risks

Although WhatsApp rates CVSS v3.1 at 5.4 (Medium), the operational severity is higher when chained with the OS bug: reliable delivery into a widely deployed app, zero-click execution, and stealthy persistence options typical of commercial spyware. Coverage indicates a narrow, targeted campaign with fewer than 200 notifications sent to at-risk users. (SecurityWeek, TechRadar Pro)

  • Targets include high-value individuals (civil society, journalists, execs).
  • Zero-click tradecraft complicates detection and forensics.
  • Large attack surface due to WhatsApp’s install base.
  • Confirmed KEV listing implies active exploitation pressure on lagging fleets.

Real-World Examples

Multiple outlets report a sophisticated spyware operation chaining CVE-2025-55177 with Apple CVE-2025-43300 since late May 2025, with Meta sending <200 in-app notifications to likely targets. (SecurityWeek, The Hacker News, Dark Reading)

Apple confirmed exploitation of CVE-2025-43300 in “an extremely sophisticated attack against specific targeted individuals,” reinforcing that this is not a mass campaign. (Apple advisory)

Recommendations

Immediate patching

  • Update WhatsApp for iOS to 2.25.21.73+, WhatsApp Business for iOS to 2.25.21.78+, and WhatsApp for Mac to 2.25.21.78+. (WhatsApp advisory)
  • Update Apple devices to versions containing the CVE-2025-43300 fix (e.g., iOS/iPadOS 18.6.2; macOS Sequoia 15.6.1, Sonoma 14.7.8, Ventura 13.7.8). (Apple advisory)

Hardening for high-risk users and enterprises

  • Enable iOS Lockdown Mode on high-risk profiles; enforce via MDM where appropriate.
  • Monitor for unusual WhatsApp device-linking activity and revoke unknown links.
  • Deploy mobile threat defense (MTD) and collect device telemetry to support forensics.
  • Practice rapid patching SLAs for messaging apps akin to browser patch cadences.
If you received a WhatsApp threat notification: back up essentials, perform a full device erase and clean OS reinstall, then re-provision from known-good sources. (THN coverage)

References