WhatsApp deserves kudos for taking rapid action to plug a significant security hole. This has a collateral effect on its messaging apps on Apple’s iOS and macOS. Marked as CVE-2025-55177, this vulnerability has been assigned a critical CVSS score of 8.0, suggesting a severe threat to users. The flaw dates back to inadequate authorization enforcement for connected device sync messages. In recent months, numerous advanced spyware campaigns have likely taken advantage of this flaw.
Over the last three months, WhatsApp has spoken to hundreds of people. What they hadn’t done is told them that they might have been attacked via this vulnerability. The company has said that the exploit would only have been effective in conjunction with a separate vulnerability. This vulnerability, CVE-2025-43300, affects the iOS, iPadOS, and macOS operating systems. This unexpected cocktail of vulnerabilities has created an existential crisis questioning the very effectiveness of security measures put in place to protect these widely adopted, highly used platforms.
Details of the Vulnerability
CVE-2025-55177 lets attackers run “zero-click” hacks, so no interaction from a user is needed to hijack a device. According to WhatsApp, this flaw “could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.” Combined, this exploit makes for a dangerous threat. This especially puts users at risk because they don’t know when their devices are being attacked.
The CVE affects WhatsApp and WhatsApp Business on iOS versions prior to 23.10.77. It impacts Android versions before 2.25.21.73, iOS before 2.25.21.78 respectively, and WhatsApp for Mac before version 2.25.21.78. After the identification of this vulnerability, WhatsApp has quickly issued fixes for these impacted versions to reduce the threat.
Discovery and Impact
Thanks to Amnesty International’s Security Lab, we played a crucial role in discovering and responsibly disclosing this critical vulnerability to WhatsApp. The tech organization praised the ruling but cautioned that early evidence suggests the attacks targeted both iPhone and Android users. This was particularly hard on people who were doing civil society type work.
Donncha Ó Cearbhaill emphasized the broader implications of such attacks, stating, “Early indications are that the WhatsApp attack is impacting both iPhone and Android users, civil society individuals among them. Government spyware continues to pose a threat to journalists and human rights defenders.” This serves as a reminder of the unique threats that targeted spyware campaigns pose to vulnerable communities.
