316/68 Monday, September 1, 2025
WhatsApp has issued a security patch addressing CVE-2025-55177 (CVSS 5.4), which has been actively exploited in the wild in conjunction with Apple’s zero-day vulnerability CVE-2025-43300. The flaw stems from insufficient authorization in the Linked Device Synchronization process, which could allow attackers to force unauthorized URL content to be processed on the target device.
The vulnerability affects multiple versions of WhatsApp, including:
- WhatsApp for iOS prior to version 2.25.21.73
- WhatsApp Business for iOS version 2.25.21.78
- WhatsApp for Mac version 2.25.21.78
Meta noted that the flaw could be exploited as part of a zero-click attack, requiring no link clicks or user interaction. Security researchers believe the vulnerability has been weaponized in advanced spyware campaigns over the past 90 days, targeting specific individuals—particularly human rights activists and journalists. Amnesty International disclosed that WhatsApp has notified targeted individuals and advised them to factory reset their devices and update both their operating system and WhatsApp to the latest version for protection.
The vulnerability is also linked to CVE-2025-43300 in Apple’s ImageIO Framework, which Apple confirmed was used in a “sophisticated, highly targeted” attack. WhatsApp stated that users who update to the patched versions are now protected from this attack vector.
Source https://thehackernews.com/2025/08/whatsapp-issues-emergency-update-for.html
