WhatsApp Fixes Major Security Flaw Affecting iOS and Mac Users

Introduction to the Vulnerability

WhatsApp has recently patched a significant security flaw in its messaging applications for both Apple iOS and macOS. This vulnerability was potentially being exploited in the wild, linked to a recently publicized Apple security issue that has affected targeted users through sophisticated zero-day attacks.

Details of the Vulnerability

The vulnerability, identified as CVE-2025-55177, carries a CVSS score of 8.0, indicating a high severity level. It stems from inadequate authorization in the synchronization of linked device messages. The WhatsApp Security Team’s internal researchers played a crucial role in identifying and reassessing the nature of this bug.

According to WhatsApp, this flaw could allow unauthorized users to process content from arbitrary URLs on a targeted device, raising serious privacy and security concerns.

Affected Versions

This vulnerability impacts several specific versions of WhatsApp:

• WhatsApp for iOS: Prior to version 2.25.21.73
• WhatsApp Business for iOS: Version 2.25.21.78
• WhatsApp for Mac: Version 2.25.21.78

It is also considered that this issue may interact with another vulnerability, CVE-2025-43300, affecting iOS, iPadOS, and macOS. This combination could pose a significant threat as part of advanced targeted attacks.

The Link to Apple’s Security Flaw

CVE-2025-43300 was disclosed by Apple recently and has been noted for its potential use in "extremely sophisticated attacks" targeting specific individuals. This vulnerability is described as an out-of-bounds write issue within the ImageIO framework that could lead to memory corruption during the processing of malicious images.

Notifications to Targeted Individuals

Donncha Ó Cearbhaill, the head of the Security Lab at Amnesty International, has reported that WhatsApp informed a number of individuals who might have been targeted by an advanced spyware campaign exploiting CVE-2025-55177 within the last 90 days.

In their notifications, WhatsApp has advised those targeted to perform a full device factory reset and ensure that both their operating system and WhatsApp application are kept up to date for maximum protection. However, details about the specific individuals or the spyware vendor behind these attacks remain unclear.

Nature of the Threat

Ó Cearbhaill has characterized the vulnerabilities as a form of "zero-click" attack, meaning that no user interaction (such as clicking a link) is required for the device to be compromised. This method significantly raises the level of threat, as it can affect users without their knowledge.

Preliminary findings suggest that the WhatsApp-related attack impacts both iPhone and Android users, particularly among civil society members, indicating ongoing risks for journalists and human rights advocates who may be targeted by government spyware.

Conclusion

As cybersecurity threats continue to evolve, it is crucial for users to stay informed about vulnerabilities and update their apps regularly. The recent discoveries regarding WhatsApp underscore the importance of maintaining device security, particularly for individuals involved in sensitive work or communities susceptible to targeted attacks.