WhatsApp vulnerability exploited in targeted zero-click attacks

On September 2, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-55177 to its Known Exploited Vulnerabilities (KEV) catalog, noting its active exploitation. This vulnerability affects WhatsApp’s linked device synchronization protocol and was used in targeted zero-click attacks against civil society actors, including journalists and human rights defenders. No public proof-of-concept code has been observed. Meta Platforms, the parent company of WhatsApp, confirmed the issue and issued threat notifications to affected users. 

CVE-2025-55177 allows unauthorized processing of remote content on a victim’s device via crafted synchronization messages. It impacts WhatsApp for iOS prior to version 2.25.21.73, WhatsApp Business for iOS, and WhatsApp for Mac prior to version 2.25.21.78.  

The flaw was patched between July 28 and August 4, 2025. There are no known workarounds; patching is the only effective mitigation. It was rated with the severity rating: Medium, and the Common Vulnerability Scoring System (CVSS) v3.1 base score of 5.4 out of 10. Despite this rating, it was used in combination with CVE-2025-43300 - an Apple ImageIO out-of-bounds write flaw, to achieve remote code execution without user interaction. 

The attack chain enabled full device compromise, including installation of spyware and persistent surveillance.  

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

While the CVSS score is moderate, the real-world impact for this flaw is elevated due to the zero-click nature and potential for chaining with other vulnerabilities. There are no known workarounds for CVE-2025-55177. The only effective mitigation is applying the vendor-provided patches. WhatsApp has also recommended that targeted individuals perform a full factory reset of affected devices to remove any persistent threats. This guidance was issued in direct communications to affected users. 

Security teams should also apply Apple’s updates addressing CVE-2025-43300 and monitor for signs of compromise, especially among high-risk personnel. For confirmed targets, Meta recommends full device resets to eliminate persistent threats.