WhatsApp has issued a critical security advisory addressing a newly discovered zero-day vulnerability, tracked as CVE-2025-55177, which has been exploited in highly sophisticated zero-click attacks targeting Mac and iOS users.
The vulnerability, combined with an OS-level flaw (CVE-2025-43300), has raised alarms about the potential compromise of user devices and data, including sensitive messages.
Vulnerability Details
The Vulnerability uncovered by WhatsApp’s investigation, detailed in a Friday security advisory, revealed that the flaw stems from an “incomplete authorization of linked device synchronization messages” in WhatsApp for iOS (prior to version 2.25.21.73), WhatsApp Business for iOS (prior to v2.25.21.78), and WhatsApp for Mac (prior to v2.25.21.78).
This vulnerability allowed an unrelated user to trigger the processing of content from an arbitrary URL on a target’s device, bypassing the need for any user interaction—hence the “zero-click” designation.
The severity escalated when it was discovered that this WhatsApp flaw was exploited in conjunction with CVE-2025-43300, an out-of-bounds write vulnerability in Apple’s ImageIO framework.
Apple had previously patched this OS-level issue, confirming its exploitation in “extremely sophisticated attacks against specific targeted individuals.”
The combination of these vulnerabilities created a potent attack vector, potentially leading to memory corruption and unauthorized access to device data.
Ongoing Investigation
The incident has prompted an active investigation by Amnesty International’s Security Lab, which is examining cases involving several individuals targeted in this campaign.
Early indications suggest that the WhatsApp attack is impacting both iPhone and Android users, with civil society individuals, including journalists and human rights defenders, among those affected.
The persistent threat of government spyware continues to endanger these groups, underscoring the need for robust protective measures.
Notably, the Apple vulnerability (CVE-2025-43300) resides in a core image library, meaning it could potentially be exploited through other applications besides WhatsApp.
“CVE-2025-55177, an authorization bypass in WhatsApp on iOS and Mac, allowed attackers to force “content from an arbitrary URL” to be rendered on a target’s device.”
WhatsApp and security experts advise the following steps to mitigate risks:
- Update WhatsApp to the latest version (iOS v2.25.21.73 or later, Business iOS v2.25.21.78 or later, Mac v2.25.21.78 or later).
- Install the latest operating system updates for iOS, iPadOS, and macOS.
- Enable enhanced security features such as Lockdown Mode on iOS or Advanced Protection on Android.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!
