Zero-Day Vulnerability Patched in WhatsApp for iOS and macOS

WhatsApp developers have patched a zero-day vulnerability affecting versions of the messenger for iOS and macOS. According to the company, this issue—together with a recently disclosed Apple bug—may have been used in “sophisticated attacks targeting specific users.”

The flaw, tracked as CVE-2025-55177, received a CVSS score of 8.0. It stemmed from insufficient authorization of linked-device synchronization messages and was discovered by researchers from WhatsApp’s internal security team.

In a statement, the company explained that the bug “allowed a third party to initiate the processing of content from an arbitrary URL on the victim’s device.”

Affected Versions

The vulnerability was patched in the following releases:

• WhatsApp for iOS: versions prior to 2.25.21.73 (patched July 28, 2025)
• WhatsApp Business for iOS: version 2.25.21.78 (patched August 4, 2025)
• WhatsApp for Mac: version 2.25.21.78 (patched August 4, 2025)

Connection to Apple’s Zero-Day

Developers noted that CVE-2025-55177 may have been exploited alongside CVE-2025-43300, a zero-day patched by Apple in mid-August 2025. That flaw, found in the Image I/O framework—used to read and write image files across multiple formats—impacted iOS, iPadOS, and macOS.

Apple confirmed that CVE-2025-43300 was a zero-click vulnerability actively leveraged in targeted cyber-espionage campaigns.

Evidence of Exploitation

Amnesty International reported that WhatsApp has already notified around 200 individuals who may have been targeted with CVE-2025-55177 in the past 90 days.

In its notifications, WhatsApp recommended that affected users perform a full factory reset of their device and ensure both the operating system and the WhatsApp application remain fully updated to reduce the risk of reinfection.

At present, it has not been disclosed who was behind the espionage activity.