CVE-2025-55177: Zero-Click WhatsApp Exploit Leveraged in Targeted Spyware Attacks on Apple Devices

[Update] October 1, 2025: Researchers Trigger the WhatsApp Zero-Click Exploit Chain (CVE-2025-55177 and CVE-2025-43300)

Security researchers have uncovered a significant vulnerability in WhatsApp that may have been actively exploited in the wild. Discovered internally by the WhatsApp Security Team, this flaw, identified as CVE-2025-55177, affects WhatsApp and WhatsApp Business on iOS, as well as WhatsApp for Mac.

The vulnerability has already been patched, but its potential use in targeted spyware campaigns signals a more troubling development: coordinated attacks chaining app-level and OS-level exploits to surveil specific individuals.

Read on for a breakdown of what CVE-2025-55177 is, how it was exploited, and what steps you can take to stay protected.

What Is CVE-2025-55177?

CVE-2025-55177 is a high-severity vulnerability (CVSS score: 8.0) rooted in insufficient authorization of linked device synchronization messages in WhatsApp.

This flaw could allow an attacker, without any legitimate association to the victim, to force the target device to process content from an arbitrary URL. In practical terms, this opens the door to Remote Code Execution (RCE) or content delivery from an attacker-controlled source, bypassing expected trust boundaries. Notably, this appears to be a zero-click exploit, meaning it can be triggered without any user interaction.

Affected versions include:

• WhatsApp for iOS prior to v2.25.21.73 (patched July 28, 2025)
• WhatsApp Business for iOS v2.25.21.78
• WhatsApp for Mac v2.25.21.78 (both patched August 4, 2025)

Meta has confirmed that this flaw was likely exploited alongside an Apple vulnerability (CVE-2025-43300), raising the severity of the situation.

CVE-2025-43300: Apple ImageIO Vulnerability Amplifies Attack Chain

The official advisory points to the chaining of CVE-2025-55177 with CVE-2025-43300 (CVSS: 8.8), an Apple platform vulnerability affecting iOS, iPadOS, and macOS. This OS-level bug involves an out-of-bounds write in the ImageIO framework, which could lead to memory corruption during image processing.

How CVE-2025-55177 Was Used in Targeted Attacks

The combination of the two flaws potentially enabled a highly stealthy spyware deployment pipeline. Because the exploit is zero-click, the victim does not need to open a file, click a link, or take any action at all. That level of automation drastically reduces detection risk, allowing spyware to be implanted silently and rapidly.

While the origin of the campaign and the spyware vendor remains undisclosed, the nature of the attack implies an advanced and well-resourced adversary.

This isn’t just a case of app-level misconfiguration. It reflects the growing trend of multi-layered exploits, where app and OS bugs are woven together to bypass user defenses and implant spyware with minimal visibility.

Mitigation Steps to Secure WhatsApp & Apple Devices

Users who may have been affected received a direct alert from WhatsApp, along with strong recommendations to secure their devices. Even if you weren’t notified, it’s critical to take the following actions:

• Update immediately: Make sure you’re running the latest version of WhatsApp on all platforms.
• Apply OS patches: Install the latest iOS/macOS/iPadOS updates from Apple, particularly those addressing CVE-2025-43300.
• Factory reset: If you suspect compromise, perform a full device factory reset to clear any lingering spyware.
• Review connected devices: Remove any unfamiliar or unused linked devices from WhatsApp’s multi-device settings.

Researchers Trigger the WhatsApp Zero-Click Exploit Chain (CVE-2025-55177 and CVE-2025-43300)

Researchers at DarkNavy have now confirmed they were able to successfully trigger the WhatsApp zero-click vulnerability CVE-2025-55177.

According to their post on X, the flaw stems from missing validation of whether a specific message originates from a linked device. By crafting such a message, attackers can abuse DNG parsing and chain the issue with CVE-2025-43300, resulting in memory corruption.

While earlier reports warned that CVE-2025-55177 might already have been exploited in the wild, this demonstration serves as concrete proof of the exploit process. It reinforces the urgency for users and organizations to apply available updates and harden device security to prevent potential attacks.

Enhance CVE Monitoring with SOCRadar

SOCRadar’s Cyber Threat Intelligence (CTI) module, with its advanced Vulnerability Intelligence capabilities, provides deep visibility into recently disclosed CVEs like CVE-2025-55177 and CVE-2025-43300. Users gain contextual insights, exploit availability status, and threat actor usage, empowering faster prioritization and patching decisions.

In parallel, the Attack Surface Management (ASM) module gives organizations a dynamic, real-time view of exposed assets that may be affected by newly disclosed vulnerabilities. ASM automatically correlates external-facing infrastructure with active threats, helping security teams identify high-risk systems before attackers do.

By integrating CTI and ASM, SOCRadar delivers a proactive defense strategy, equipping security teams to detect, assess, and remediate risk with precision.