WhatsApp has released security updates for iOS and macOS addressing a 0‑day vulnerability, CVE‑2025‑55177, that the company says was used in highly targeted attacks. The flaw resided in the app’s linked devices synchronization logic and carries a CVSS score of 8.0, indicating high severity. Users are urged to update via the App Store and Mac App Store without delay.
What was fixed: linked device synchronization flaw
According to WhatsApp, the issue stemmed from insufficient authorization of synchronization messages exchanged between paired devices. An attacker could trigger processing of content from an arbitrary URL on the victim device. While this alone may not guarantee code execution, it is a common first stage in modern exploit chains—forcing a device to fetch or parse attacker-controlled content that primes a subsequent exploit.
The vendor has not published a comprehensive list of affected builds. As a precaution, users should update immediately and enable automatic updates for both the operating system and applications.
Suspected chaining with Apple’s Image I/O zero‑click (CVE‑2025‑43300)
WhatsApp assesses that CVE‑2025‑55177 may have been paired with Apple’s recently patched CVE‑2025‑43300 in Image I/O, the framework responsible for parsing many image formats across iOS and macOS. Apple reported that this zero‑click issue was exploited in real‑world, targeted attacks and shipped a fix in mid‑August 2025.
How the exploit chain likely worked—and why it matters
A plausible sequence mirrors past spyware tradecraft: the messaging‑app flaw (here, WhatsApp linked‑device sync) coerces the device to retrieve content from a remote resource; an operating system‑level bug in Image I/O then enables code execution during image parsing with no user interaction. Similar chains have surfaced before—for example, the 2023 BLASTPASS campaign exploited Image I/O (CVE‑2023‑41064)—underlining the persistent value of image parsers to advanced adversaries.
Scope and current status
Amnesty International reports that WhatsApp notified roughly 200 individuals who may have been targeted over the last 90 days using CVE‑2025‑55177. Notifications advised recipients to consider a factory reset after backing up data and to keep both OS and apps fully up to date. The threat actors behind the campaign have not been publicly identified.
Risk profile and security recommendations
Zero‑click and near‑zero‑click exploit chains disproportionately affect journalists, human rights defenders, political figures, and staff in critical sectors. The following actions reduce exposure and improve resilience:
- Update iOS/iPadOS/macOS and WhatsApp to the latest versions; enable auto‑updates.
- Review WhatsApp Linked Devices and revoke any unknown sessions.
- If you received a WhatsApp notification or observe anomalies, perform a full backup, then a factory reset, and restore only trusted data.
- For high‑risk users, consider enabling Lockdown Mode on iOS/macOS to reduce attack surface.
- Organizations should enforce MDM policies for mandatory patching, monitor Apple device security events, and train users to recognize compromise indicators.
These attacks target invisible system components—content handlers, preview services, and core libraries—where user vigilance has limited effect. Timely patching, minimizing the number of trusted or linked devices, and adhering to the principle of least privilege are therefore essential controls.
The emergence of CVE‑2025‑55177 alongside CVE‑2025‑43300 reinforces a clear trend: adversaries combine app‑level and OS‑level vulnerabilities to achieve silent compromise. Update WhatsApp and Apple platforms promptly, review security settings, and continuously educate users on digital hygiene to reduce the likelihood and impact of targeted attacks.
