WhatsApp has shared particulars on a zero-day vulnerability that was exploited in extremely focused assaults in opposition to Apple customers.
Tracked as CVE-2025-55177 (CVSS rating of 8.0), the bug is described as an “incomplete authorization of linked system synchronization messages”.
An attacker might have exploited the problem to set off the processing of content material from arbitrary URLs, on the victims’ units, WhatsApp’s advisory reads.
“We assess that this vulnerability, together with an OS-level vulnerability on Apple platforms (CVE-2025-43300), might have been exploited in a complicated assault in opposition to particular focused customers,” the Meta-owned communication platform says.
Patched on August 20, CVE-2025-43300 is an out-of-bounds write difficulty that impacts the ImageIO framework part of Apple’s iOS, iPadOS, and macOS merchandise.
The Cupertino-based tech large resolved the flaw in iOS 18.6.2 and iPadOS 18.6.2, iPadOS 17.7.10, macOS Sequoia 15.6.1, macOS Sonoma 14.7.8, and macOS Ventura 13.7.8, with out sharing technical data on it, however warning of its lively exploitation.
“Apple is conscious of a report that this difficulty might have been exploited in a particularly refined assault in opposition to particular focused people,” Apple mentioned.
WhatsApp, which patches CVE-2025-55177 in July and August in WhatsApp for iOS model 2.25.21.73, WhatsApp Enterprise for iOS model 2.25.21.78, and WhatsApp for Mac model 2.25.21.78, didn’t share particulars within the noticed assaults both.Commercial. Scroll to proceed studying.
In response to Amnesty Worldwide’s Donncha Ó Cearbhaill, nevertheless, the safety defects had been chained in zero-click assaults, a part of a suspected spy ware marketing campaign.
“Early indications are that the WhatsApp assault is impacting each iPhone and Android customers, civil society people amongst them. Authorities spy ware continues to pose a risk to journalists and human rights defenders,” Ó Cearbhaill mentioned on X.
On condition that the Apple flaw impacts a core picture library, the attackers might need exploited different functions as effectively, Ó Cearbhaill says.
Along with rolling out patches for the zero-day, WhatsApp additionally despatched notifications to the doubtless focused people. Roughly 200 folks had been notified, Meta mentioned.
“WhatsApp and Apple units are a few of the most generally used applied sciences on the planet, particularly amongst senior executives. That reputation makes them prime targets. Attackers know that if they will discover a method in, the payoff is large. It’s why we see important funding from adversaries in uncovering zero-click vulnerabilities like this one,” Jamf senior safety technique supervisor Adam Boynton mentioned.
Associated: Paragon Spy ware Assaults Exploited WhatsApp Zero-Day
Associated: Spy ware Maker NSO Ordered to Pay $167 Million Over WhatsApp Hack
Associated: $1 Million Supplied for WhatsApp Exploit at Pwn2Own Eire 2025
