02-09-25, 01:37 AM
WhatsApp has fixed a high-severity security flaw (CVE-2025-55177) in its iOS and macOS apps that may have been exploited alongside a recently disclosed Apple zero-day.
The bug, discovered by WhatsApp’s internal security team, involved insufficient authorization in device synchronization, potentially allowing attackers to force a target’s device to process malicious URLs.
Affected versions:
WhatsApp for iOS before 2.25.21.73 (patched July 28, 2025)
WhatsApp Business for iOS 2.25.21.78 (patched August 4, 2025)
WhatsApp for Mac 2.25.21.78 (patched August 4, 2025)
Researchers believe the flaw was chained with Apple’s CVE-2025-43300, a memory corruption issue in ImageIO, used in highly targeted spyware attacks against individuals.
WhatsApp has alerted a number of users it believes were targeted within the past 90 days and advised them to reset their devices and stay updated. The identity of the attackers or spyware vendor remains unknown.
The bug, discovered by WhatsApp’s internal security team, involved insufficient authorization in device synchronization, potentially allowing attackers to force a target’s device to process malicious URLs.
Affected versions:
WhatsApp for iOS before 2.25.21.73 (patched July 28, 2025)
WhatsApp Business for iOS 2.25.21.78 (patched August 4, 2025)
WhatsApp for Mac 2.25.21.78 (patched August 4, 2025)
Researchers believe the flaw was chained with Apple’s CVE-2025-43300, a memory corruption issue in ImageIO, used in highly targeted spyware attacks against individuals.
WhatsApp has alerted a number of users it believes were targeted within the past 90 days and advised them to reset their devices and stay updated. The identity of the attackers or spyware vendor remains unknown.