The messenger’s developers have fixed a 0-day vulnerability in the iOS and macOS versions. According to the company, the new issue, along with a recently disclosed Apple bug, may have been used in “sophisticated attacks targeting specific users.”
The vulnerability has been assigned the identifier CVE-2025-55177 and a CVSS score of 8. The issue is related to insufficient authorization of linked-device synchronization messages. The vulnerability was discovered by researchers from WhatsApp’s internal security team.
The company explained that the issue “allowed a third party to initiate processing of content from an arbitrary URL on the victim’s device.”
The issue affects the following versions:
- WhatsApp for iOS versions prior to 2.25.21.73 (fixed on July 28, 2025);
- WhatsApp Business for iOS version 2.25.21.78 (fixed on August 4, 2025);
- WhatsApp for Mac version 2.25.21.78 (fixed on August 4, 2025).
Developers believe that the vulnerability may have been used in conjunction with the 0-day vulnerability CVE-2025-43300. This issue, which Apple fixed in mid-August 2025, affected iOS, iPadOS, and macOS. The bug was found in the Image I/O framework, which allows applications to read and write images in most formats.
Apple reported that this zero-click issue was used as part of sophisticated targeted attacks against individual users.
Experts at Amnesty International report that WhatsApp representatives have already notified around 200 people that in the past 90 days they may have been targets of a sophisticated cyberespionage campaign using CVE-2025-55177.
In the notification sent to affected users, the developers recommended performing a full factory reset of the device and then keeping the OS and the WhatsApp app up to date for optimal protection.
At present, it has not been disclosed who exactly may have been behind this espionage campaign.