![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQB3IyvcFkdlEImIRceXFfbwNDwgZryHFJ_2VX9eu9hFEX476EjqKBqndt_4hRkjAGJBDPfCZK-oWZMUKmv8jCt9vDwk2SFbZvAXXbDrqs2h8eMCzn3jOCzAZyjtXoTEuWbIDj_EkA9vlgeKci0XE6rFtCGuXTxRx6fLkEdLb46F0pFwA7yPbU7XC9kZWq/s728-rw-e365/whatsapp.jpg\")
WhatsApp recently patched a security vulnerability in its iOS and macOS messaging apps that could have been exploited in the wild alongside a known Apple flaw in targeted zero-day attacks.
The vulnerability, known as CVE-2025-55177 with a CVSS score of 8.0, involved inadequate authorization of linked device synchronization messages. The bug was discovered and fixed by WhatsApp’s internal security team.
According to WhatsApp, the flaw could have allowed an unauthorized user to trigger the processing of content from any URL on a target device.
The affected versions include:
- WhatsApp for iOS prior to version 2.25.21.73
- WhatsApp Business for iOS version 2.25.21.78
- WhatsApp for Mac version 2.25.21.78
It’s believed that this vulnerability could have been exploited in conjunction with CVE-2025-43300, an iOS, iPadOS, and macOS vulnerability, in targeted attacks against specific users.
This particular Apple vulnerability, CVE-2025-43300, was disclosed last week and was utilized in a sophisticated attack against specific individuals.
Security Lab head at Amnesty International, Donncha Ó Cearbhaill, revealed that WhatsApp notified certain individuals targeted by an advanced spyware campaign in the past 90 days using CVE-2025-55177. The affected users were advised to perform a full device reset and keep their systems updated for enhanced protection.
Ó Cearbhaill termed these vulnerabilities as a “zero-click” attack, indicating that no user interaction is required for the device to be compromised. The WhatsApp attack is said to impact both iPhone and Android users, including civil society individuals.
\”Government spyware poses a continuing threat to journalists and human rights defenders,\” Ó Cearbhaill stated.
