WhatsApp has addressed a safety vulnerability in its messaging apps for Apple iOS and macOS that it mentioned might have been exploited within the wild together with a just lately disclosed Apple flaw in focused zero-day assaults.
The vulnerability, CVE-2025-55177 (CVSS rating: 8.0 [CISA-ADP]/5.4 [Facebook]), pertains to a case of inadequate authorization of linked machine synchronization messages. Inside researchers on the WhatsApp Safety Crew have been credited with discovering and rerating the bug.
The Meta-owned firm mentioned the difficulty “may have allowed an unrelated person to set off processing of content material from an arbitrary URL on a goal’s machine.”
The flaw impacts the next variations –
- WhatsApp for iOS previous to model 2.25.21.73 (Patched on July 28, 2025)
- WhatsApp Enterprise for iOS model 2.25.21.78 (Patched on August 4, 2025), and
- WhatsApp for Mac model 2.25.21.78 (Patched on August 4, 2025)
It additionally assessed that the shortcoming might have been chained with CVE-2025-43300, a vulnerability affecting iOS, iPadOS, and macOS, as a part of a complicated assault in opposition to particular focused customers.
CVE-2025-43300 was disclosed by Apple final week as having been weaponized in an “extraordinarily refined assault in opposition to particular focused people.”
The vulnerability in query is an out-of-bounds write vulnerability within the ImageIO framework that would lead to reminiscence corruption when processing a malicious picture.
Donncha Ó Cearbhaill, head of the Safety Lab at Amnesty Worldwide, mentioned WhatsApp has notified an unspecified variety of people that they imagine had been focused by a sophisticated spyware and adware marketing campaign up to now 90 days utilizing CVE-2025-55177.
Within the alert despatched to the focused people, WhatsApp has additionally beneficial performing a full machine manufacturing unit reset and preserving their working system and the WhatsApp app up-to-date for optimum safety. It is at present not recognized who, or which spyware and adware vendor, is behind the assaults.
Ó Cearbhaill described the pair of vulnerabilities as a “zero-click” assault, that means it doesn’t require any person interplay, resembling clicking a hyperlink, to compromise their machine.
“Early indications are that the WhatsApp assault is impacting each iPhone and Android customers, civil society people amongst them,” Ó Cearbhaill mentioned. “Authorities spyware and adware continues to pose a menace to journalists and human rights defenders.”
Replace
In a press release shared with The Hacker Information, WhatsApp mentioned it despatched in-app menace notifications to lower than 200 customers who might have been focused as a part of the marketing campaign.
(The story was up to date after publication to make clear that patches had been launched for the flaw in late July/August 2025.)
