WhatsApp has issued a critical security advisory after uncovering a critical zero‑click vulnerability (CVE-2025-55177) that has been exploited in highly sophisticated attacks against iOS and macOS users.
The flaw, when chained with an Apple operating system vulnerability (CVE-2025-43300), created a powerful exploit pathway capable of compromising devices and accessing sensitive user data without any interaction from the victim.
Vulnerabilities Uncovered
According to WhatsApp’s security advisory, the primary flaw (CVE-2025-55177) stemmed from “incomplete authorization of linked device synchronization messages” affecting multiple versions of its applications:
- WhatsApp for iOS (versions prior to 2.25.21.73)
- WhatsApp Business for iOS (versions prior to 2.25.21.78)
- WhatsApp for Mac (versions prior to 2.25.21.78)
Exploitation of the bug allowed a malicious actor to remotely trigger the processing of content from arbitrary URLs on a target’s device, with no clicks or user interaction required — a hallmark of so‑called zero‑click exploits.
The impact was significantly worsened when attackers combined the WhatsApp flaw with CVE-2025-43300, a previously disclosed out-of-bounds write vulnerability in Apple’s ImageIO framework.
The Apple vulnerability , residing deep within a core image-handling library, could lead to memory corruption and enable unauthorized access to device data.
Ongoing Research
Amnesty International’s Security Lab is deeply engaged in probing this incident, focusing on cases involving multiple targeted individuals.
Preliminary findings indicate the attack affects both iPhone and Android users, with civil society members particularly journalists and human rights defenders among the victims.
The persistent use of government spyware against these groups remains a significant concern.A critical detail from the investigation is that the Apple vulnerability (CVE-2025-43300) lies within a core image library, suggesting it could be exploited through apps beyond WhatsApp.
Apple had patched CVE-2025-43300 earlier, confirming that it was being used in “extremely sophisticated attacks against specific targeted individuals.”
The pairing of these two flaws enabled attackers to weaponize malicious messages against high-value targets.
WhatsApp confirmed it had proactively notified targeted users who may have received the malicious messages. Notifications warned recipients that attackers may have accessed “device contents, including sensitive messages,” by chaining WhatsApp and OS-level vulnerabilities.
While WhatsApp clarified it cannot verify with certainty whether every alerted account was successfully compromised, it stressed that the risk of device data compromise was real and substantial.
WhatsApp’s Response
WhatsApp announced that it had rolled out server-side and client-side mitigations to block this attack vector in the latest app updates.
However, it emphasized that vulnerabilities at the OS level remain a risk, meaning that users must also update their Apple devices with the latest iOS, iPadOS, and macOS security patches.
The company urged users to enable advanced device protection features, such as:
- Lockdown Mode on iOS/iPadOS
- Advanced Protection Mode for Android devices
- Upgrade WhatsApp to the latest versions (iOS v2.25.21.73+, Business iOS v2.25.21.78+, Mac v2.25.21.78+).
- Apply the most recent iOS, iPadOS, and macOS updates.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
 that has been exploited.){kind=link}