WhatsApp has patched CVE-2025-55177, an authorization flaw in its linked-device synchronization feature that was exploited in the wild.
While Meta originally rated it medium severity, it has since been tied to a zero-click spyware chain alongside Apple’s CVE-2025-43300 (a critical ImageIO vulnerability). Attackers could trick WhatsApp into retrieving malicious content from an external URL, which then exploited Apple’s flaw to achieve code execution with no user interaction.
This chain has been observed in highly targeted campaigns against journalists, executives, and civil society members. Both Meta and Apple have released urgent updates, and organizations must treat this as a high-risk incident class despite the low number of confirmed victims.
Vulnerability Details
CVE-2025-55177 allows a malicious actor to force WhatsApp to process attacker-controlled content during device synchronization. The flaw, on its own, might have enabled crafted content injection or denial of service.
In practice, however, it became far more dangerous when combined with Apple’s CVE-2025-43300. That second flaw, found in ImageIO’s image parsing library, enabled out-of-bounds memory writes leading to remote code execution on iOS and macOS devices.
This is what made the chain so powerful: a simple incoming WhatsApp message could deliver a malicious image, triggering exploitation without requiring the user to tap, click, or accept anything. In other words, a true zero-click attack.
Impact and Targeting
The confirmed targeting so far has been narrow and strategic. WhatsApp issued in-app threat notifications to fewer than 200 users, consistent with previous mercenary spyware operations.
Apple simultaneously published advisories acknowledging active exploitation in the wild. While Amnesty International researchers suggested that some Android users may also have been probed, the strongest evidence points to iOS and macOS users being the primary focus.
For enterprises, the risk is clear: if executives, board members, legal staff, or employees with access to sensitive IP use WhatsApp on corporate devices, they could become entry points for surveillance and exfiltration.
Recommended Actions
Organizations should act quickly to contain exposure:
- Update immediately: WhatsApp users must be on iOS version 2.25.21.73 or higher, Business iOS on 2.25.21.78, and Mac on 2.25.21.78. Apple devices must run iOS/iPadOS 18.6.2 (or 17.7.10) and macOS 15.6.1, 14.7.8, or 13.7.8.
- Audit linked devices: Instruct users to open WhatsApp → Linked Devices and remove any unknown or suspicious sessions.
- Protect high-value users: Consider enabling Lockdown Mode on iOS for executives and other at-risk staff.
- Awareness and reporting: Ensure staff know to escalate any WhatsApp or Apple threat notifications immediately to security teams.
Detection and Response
Detection on iOS remains limited due to Apple’s security model, but defenders can still take proactive steps. On macOS, security teams should look for WhatsApp processes fetching content from non-WhatsApp domains and anomalous network activity shortly after message receipt. Monitoring DNS and proxy logs for rare domains accessed by WhatsApp can provide useful hunting leads.
If compromise is suspected, the safest course is to isolate the device, preserve evidence, reset to factory settings after patching, and re-enroll via MDM. Critical accounts should be reset from a clean device, and compromised numbers or Apple IDs may need to be rotated for repeat targets.
Stay Safe. Stay Secure
OP Innovate Research Team
