WhatsApp has issued a critical alert regarding a newly identified zero-day vulnerability, CVE-2025-55177, which has been exploited in sophisticated zero-click attacks targeting Mac and iOS users. This vulnerability, in combination with an OS-level flaw, CVE-2025-43300, has raised concerns about potential compromises of user devices and data, including sensitive messages.
The flaw, discovered in WhatsApp for iOS and Mac, involves incomplete authorization of linked device synchronization messages. This allowed attackers to trigger content processing from an arbitrary URL on a target’s device without user interaction. The severity increased when it was found that this flaw was being used alongside an Apple ImageIO framework vulnerability, which Apple had already patched, confirming its use in sophisticated attacks.
Amnesty International’s Security Lab is actively investigating the situation, noting that both iPhone and Android users, including journalists and human rights defenders, have been affected. The threat of government spyware remains a significant concern for these groups.
WhatsApp and security experts recommend updating to the latest app versions and operating systems, and enabling enhanced security features to mitigate risks.
