WhatsApp has recently released an emergency update to address a critical security vulnerability in its messaging applications specifically for Apple iOS and macOS users. This vulnerability is significant as it may have been actively exploited in targeted zero-day attacks that leveraged a recently disclosed flaw by Apple.
The vulnerability, identified as CVE-2025-55177, received a CVSS score of 8.0 due to insufficient authorization concerning linked device synchronization messages. The WhatsApp Security Team’s internal researchers played a pivotal role in the discovery and reassessment of this bug. Meta, the parent company of WhatsApp, acknowledged that this security flaw "could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device."
This vulnerability affects several versions of WhatsApp, including:
- WhatsApp for iOS prior to version 2.25.21.73
- WhatsApp Business for iOS version 2.25.21.78
- WhatsApp for Mac version 2.25.21.78
Moreover, it is suggested that this issue could be chained with another vulnerability (CVE-2025-43300) that impacts iOS, iPadOS, and macOS, potentially being part of a sophisticated attack aimed at specific targets. The latter flaw, disclosed by Apple, relates to an out-of-bounds write vulnerability within the ImageIO framework, which could cause memory corruption when processing malicious images.
Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International, mentioned that WhatsApp had informed a number of individuals that they might have been targeted in an advanced spyware campaign leveraging CVE-2025-55177 over the past 90 days. In communications with the affected users, WhatsApp suggested conducting a full factory reset of their devices and advised them to keep their operating systems and the app itself updated for optimal security.
Ó Cearbhaill classified the duo of vulnerabilities as a "zero-click" attack, meaning no user interaction is necessary for the attack to succeed. He expressed early concerns about the impact of the WhatsApp attack, highlighting that it seems to be affecting both iPhone and Android users, particularly those within civil society. He added that government spyware poses a significant risk to journalists and human rights defenders.
Currently, the specific identities of those behind the attacks and the spyware vendors remain unknown. Users are urged to respond promptly to security advisories and updates to mitigate potential risks.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.