Summary

• Vulnerability: CVE-2025-55177 — an incomplete authorization flaw in WhatsApp’s linked-device sync mechanism.

• Risk: Permits attackers to deliver and execute content from attacker-controlled URLs—potentially enabling remote code execution (RCE) via zero-click attacks on iOS, macOS, and Android.

• Exploitation: Chained with Apple’s CVE-2025-43300—a high-severity ImageIO out-of-bounds write vulnerability—to target specific individuals, especially civil society actors.

• Affected Users: Under 200 users globally notified; may include both iOS and Android users.

• Response: Patch released (around late July/August for WhatsApp; August 20 for Apple); CISA added CVE-2025-55177 to its Known Exploited Vulnerabilities (KEV) catalog; agencies must patch or suspend WhatsApp by September 23, 2025.

• Recommended Actions: Update WhatsApp and OS immediately; perform full device reset if notified; enable advanced protection modes.

Timeline of Events

• July–August 2025
  WhatsApp patches CVE-2025-55177 (linked-device sync flaw) in iOS and macOS apps, including WhatsApp for iOS (v2.25.21.73), Business for iOS and Mac (v2.25.21.78).
  Apple releases a patch for CVE-2025-43300 on August 20 across iOS, iPadOS, and macOS.

• Late May–August 2025
  Amnesty International’s Security Lab uncovers a zero-click spyware campaign chaining both vulnerabilities against targeted individuals, especially within civil society.

• August 29–Early September 2025
  WhatsApp confirms fewer than 200 users were likely targeted and have been notified.
  Advisories urge affected users to update or reset devices.

• September 2–3, 2025

  • CISA adds CVE-2025-55177 to its KEV catalog and mandates patching by September 23 or suspending use.

  • Security publications highlight the severity of the attack methodology and implicated individuals.

Impact & Implications

• Zero-click danger: No user interaction needed—victims could be compromised via crafted payloads automatically processed.

• Targeted espionage: Limited number of victims—under 200—suggests precision attacks, likely for surveillance of high-value targets.

• Both iOS and Android at risk: Though initially framed as Apple-only, investigators note possible Android impact as well.

• Broader ecosystem threat: Given that Apple’s ImageIO flaw affects core image processing, other apps beyond WhatsApp could also serve as attack vectors.

Recommended Actions

1. Update immediately:

   • WhatsApp for iOS → v 2.25.21.73 or later

   • WhatsApp for Mac / Business → v 2.25.21.78 or later

   • Apple devices → patch in iOS 18.6.2, iPadOS 17.7.10, macOS Ventura/Sonoma/Sequoia as applicable.

2. If notified: Perform a full factory reset of your device to purge potential lingering malware.

3. Enable extra protections:

   • iOS: Lockdown Mode

   • Android: Advanced Protection Mode.

4. Review device behavior: Watch for anomalies like unexpected reboots, battery drain, unknown apps or processes.

5. Organizations & Agencies:

   • Federal Civilian Executive Branch must comply with CISA: patch or suspend WhatsApp by September 23, 2025.

Why It Matters

• Evolution of spyware techniques: Reflects a rising trend of zero-click, high-precision cyberespionage, particularly against civil society and advocacy groups.

• Notification briefings: WhatsApp’s alert to those possibly targeted underscores the growing importance of transparency and individual awareness in digital security responses.

• Timely patching is critical: The CISA directive sets a structured deadline, highlighting the stakes for both public and private sectors in rapidly mitigating known threats.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.