U.S. CISA adds WhatsApp, and TP-link flaws to its Known Exploited Vulnerabilities catalog
September 03, 2025
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds WhatsApp, and TP-link flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added WhatsApp, and TP-link flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the descriptions for these flaws:
- CVE-2020-24363 TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability
- CVE-2025-55177 Meta Platforms WhatsApp Incorrect Authorization Vulnerability
CVE-2020-24363 (CVSS 8.8) is a missing authentication flaw in TP-Link TL-WA855RE Wi-Fi extender, enabling unauthenticated attackers on the same network to factory reset the device and set a new admin password. The issue was fixed in firmware TL-WA855RE(EU)_V5_200731, but the product is EoL. Users should replace it, as no further patches are expected. Exploitation details were not disclosed.
Last week, Donncha Ó Cearbhaill, Head of Security Lab at @AmnestyTech, reported that a new zero-click exploit, tracked as CVE-2025-55177, was used to hack WhatsApp users. WhatsApp has just sent out a round of threat notifications to individuals they believe were targeted by an advanced spyware campaign in the past 90 days. The company warned some users that a malicious message may have exploited OS flaws to compromise devices and data. The attack requires no user interaction, meaning victims could be compromised without clicking a link or downloading a file. Such exploits are typically linked to well-resourced threat actors, including state-sponsored groups. WhatsApp urges recipients of the notification to review their devices for unusual behavior, update to the latest version, and enable enhanced security measures to reduce the risk of further compromise.
WhatsApp announced that it had already patched the flaw exploited by attackers, but risks remain.
Amnesty researchers investigating the attack report that the exploit targets an authorization bypass issue, tracked as CVE-2025-55177, in WhatsApp on iOS and macOS. The exploit allowed attackers to force “content from arbitrary URL” to be rendered on a target’s device. Threat actors also exploited a zero-click vulnerability, recently patched by Apple (CVE-2025-43300), in the attacks.
The WhatsApp zero-click attack affects both iPhone and Android users, including civil society.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by September 23, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, cisa)
