WhatsApp has disclosed a zero-day flaw that was used in precision attacks against Apple users.
The bug, tracked as CVE-2025-55177 with a CVSS score of 8.0, involved incomplete authorization of linked device sync messages. In practice, that meant an attacker could trick a device into processing content from arbitrary URLs.
The issue affected WhatsApp for iOS before version 2.25.21.73, WhatsApp Business for iOS before 2.25.21.78, and WhatsApp for Mac before 2.25.21.78.
According to WhatsApp’s advisory, the flaw appears to have been paired with another Apple vulnerability, CVE-2025-43300, in a sophisticated campaign aimed at select targets.
Apple patched CVE-2025-43300 on August 20. The weakness was an out-of-bounds write in the ImageIO framework that cut across iOS, iPadOS, and macOS. Apple fixed it in iOS 18.6.2, iPadOS 18.6.2 and 17.7.10, macOS Sequoia 15.6.1, Sonoma 14.7.8, and Ventura 13.7.8.
Technical details remain scarce, but Apple confirmed the bug was under active attack.
Particularly Challenging to Mitigate
James Maude, Field CTO at BeyondTrust, comments: “Meta have been proactive in both discovering the CVE-2025-55177 vulnerability and using in app messaging to communicate with potentially targeted individuals.”
Maude says when chained with CVE-2025-43300 an image processing vulnerability in iOS and macOS it may have been possible for threat actors to use an arbitrary URL to trigger the image processing vulnerability using a zero-click exploit. “This form of exploit with no user interactions is particularly challenging to mitigate so it is vital that users update as soon as possible.”
This appears to have been contained within the Mac ecosystem as the affected products were WhatsApp Desktop for Mac and WhatsApp and WhatsApp Business for iOS, he continues. “While the exact details are not yet clear versions of the app from 2.22.25.2 to 2.25.21.73 are affected. Version 2.22.25.20 was released in late 2022 and introduced the “view once” disappearing message, which means that this vulnerability has existed for some time.
For many entities, Maude says WhatsApp serves as an unofficial communications tool for employees and may inadvertently hold confidential company information. “While it appears that in this case the exploitation in the wild was brief and identifiable, it serves as a reminder to ensure that the lines between personal and professional communication tools remain clear.”
Patching iOS Devices is as Important as Windows
Lawrence Pingree, Dispersive Technical Evangelist (and former lead Gartner analyst), adds: “This is basically an example of where an application can be tampered with in such a way as to cause it to load content from another (unvalidated) source of content. In the case of the image IO library, this is a vulnerability in image processing – such as when you receive a message and get a view of the image previewed as a small image in your chat.”
Pingree says what makes vulnerabilities like this especially bad is that they allow people to send images to various users, and because the viewer automatically loads an image, if the image content has the exploit contained within it, then your device can become breached without any clicks or knowledge of the user. “Patching iOS devices and apple products are just as important as Windows – even though Windows gets targeted immensely.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.