August 29, 2025
Meta’s WhatsApp Security Team has patched a zero-day flaw (CVE-2025-55177) in WhatsApp for iOS (prior to v2.25.21.73), WhatsApp Business for iOS (prior to v2.25.21.78), and WhatsApp for Mac (prior to v2.25.21.78).
According to the advisory, “Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.”
In plain terms, the vulnerability could be exploited by sending malicious synchronization messages to a victim’s device, causing it to process attacker-controlled content. On its own, this posed a risk of unauthorized content execution, but paired with the Apple zero-day, it became far more powerful.
The WhatsApp Security Team noted: “We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.”
This monht, Apple released emergency updates for iOS, iPadOS, and macOS to fix CVE-2025-43300, an out-of-bounds write vulnerability in the Image I/O framework.
Apple explains: “An out-of-bounds write occurs when attackers successfully exploit such vulnerabilities by supplying input to a program, causing it to write data outside the allocated memory buffer.” This type of flaw can cause:
- Crashes or instability,
- Data corruption, or
- Remote Code Execution (RCE) in the worst-case scenario.
Because Image I/O is responsible for handling many image file formats, a malicious payload embedded in an image could give attackers the ability to execute arbitrary code at the OS level.
While both vulnerabilities are dangerous independently, their combined exploitation is what makes this attack particularly alarming.
- WhatsApp CVE-2025-55177 allowed attackers to trick the victim device into fetching and processing malicious content from an attacker-controlled URL.
- Apple CVE-2025-43300 then enabled attackers to use that malicious payload to achieve remote code execution on the device.
This chain provided attackers with a stealthy and powerful attack vector that required minimal user interaction — a hallmark of advanced targeted operations often associated with nation-state actors or well-funded surveillance vendors.
WhatsApp users should immediately update to:
- WhatsApp for iOS v2.25.21.73 or later,
- WhatsApp Business for iOS v2.25.21.78 or later,
- WhatsApp for Mac v2.25.21.78 or later.
Apple users should install the latest security updates for iOS, iPadOS, and macOS, which patch CVE-2025-43300 in Image I/O.
Given the targeted nature of exploitation, the risk to the average user may be low — but for high-value targets such as journalists, diplomats, human rights defenders, and executives, the urgency is critical.
