WhatsApp has addressed a critical zero-day vulnerability that was reportedly exploited in a sophisticated cyberattack. The flaw, identified as CVE-2025-55177, was linked to incomplete authorization of device synchronization messages, potentially allowing unauthorized users to process content from arbitrary URLs on targeted devices. This vulnerability, when combined with an Apple OS-level flaw (CVE-2025-43300), may have been used in targeted attacks. Apple described its issue as an “out-of-bounds write” problem, which could lead to memory corruption when processing malicious image files. These vulnerabilities are believed to be part of a commercial spyware campaign, as confirmed by Amnesty International’s security lab. Such exploits are particularly concerning because they operate without user interaction, enabling spyware to access device cameras, microphones, and data covertly. Earlier this year, NSO Group was ordered to pay significant damages after its Pegasus spyware was used to target numerous WhatsApp users. The WhatsApp flaw affects versions prior to v2.25.21.73 on iOS, v2.25.21.78 on WhatsApp Business for iOS, and v2.25.21.78 on Mac.
Has WhatsApp Fixed a Critical Security Flaw?
