A Critical Zero-Click WhatsApp Flaw, CVE-2025-55177, Was Exploited in Zero-Day Attacks
Ddos 
Metaβs WhatsApp Security Team has patched a zero-day flaw (CVE-2025-55177) in WhatsApp for iOS (prior to v2.25.21.73), WhatsApp Business for iOS (prior to v2.25.21.78), and WhatsApp for Mac (prior to v2.25.21.78).
According to the advisory, βIncomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a targetβs device.β
In plain terms, the vulnerability could be exploited by sending malicious synchronization messages to a victimβs device, causing it to process attacker-controlled content. On its own, this posed a risk of unauthorized content execution, but paired with the Apple zero-day, it became far more powerful.
The WhatsApp Security Team noted: βWe assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.β
This monht, Apple released emergency updates for iOS, iPadOS, and macOS to fix CVE-2025-43300, an out-of-bounds write vulnerability in the Image I/O framework.
Apple explains: βAn out-of-bounds write occurs when attackers successfully exploit such vulnerabilities by supplying input to a program, causing it to write data outside the allocated memory buffer.β This type of flaw can cause:
- Crashes or instability,
- Data corruption, or
- Remote Code Execution (RCE) in the worst-case scenario.
Because Image I/O is responsible for handling many image file formats, a malicious payload embedded in an image could give attackers the ability to execute arbitrary code at the OS level.
While both vulnerabilities are dangerous independently, their combined exploitation is what makes this attack particularly alarming.
- WhatsApp CVE-2025-55177 allowed attackers to trick the victim device into fetching and processing malicious content from an attacker-controlled URL.
- Apple CVE-2025-43300 then enabled attackers to use that malicious payload to achieve remote code execution on the device.
This chain provided attackers with a stealthy and powerful attack vector that required minimal user interaction β a hallmark of advanced targeted operations often associated with nation-state actors or well-funded surveillance vendors.
WhatsApp users should immediately update to:
- WhatsApp for iOS v2.25.21.73 or later,
- WhatsApp Business for iOS v2.25.21.78 or later,
- WhatsApp for Mac v2.25.21.78 or later.
Apple users should install the latest security updates for iOS, iPadOS, and macOS, which patch CVE-2025-43300 in Image I/O.
Given the targeted nature of exploitation, the risk to the average user may be low β but for high-value targets such as journalists, diplomats, human rights defenders, and executives, the urgency is critical.
Related Posts:
- Apple Issues Urgent Patch for Zero-Day Vulnerability CVE-2025-43300 Exploited in the Wild
- US House Bans WhatsApp on Government Devices Over Security & Transparency Concerns
- Operation Zero Offers Millions for Telegram Zero-Click Exploits
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
