Incomplete Authorization in WhatsApp for iOS and Mac Linked Device Synchronization
CVE-2025-55177

5.4MEDIUM

Key Information:

Vendor

Facebook

Status
WhatSAPp Desktop For Mac
WhatSAPp Business For iOS
WhatSAPp For iOS
Vendor
CVE Published:
29 August 2025

Badges

πŸ₯‡ Trended No. 1πŸ“ˆ TrendedπŸ“ˆ Score: 4,450πŸ‘Ύ Exploit ExistsπŸ¦… CISA ReportedπŸ“° News Worthy

What is CVE-2025-55177?

CVE-2025-55177 is a vulnerability identified in WhatsApp for iOS and Mac that relates to the synchronization of linked devices. Specifically, this vulnerability arises from incomplete authorization processes that could allow an unauthorized user to cause a target device to process messages from arbitrary URLs. This flaw affects versions of WhatsApp prior to v2.25.21.73 for iOS and v2.25.21.78 for both WhatsApp for iOS and WhatsApp for Mac. The potential exploitation of this vulnerability is concerning, as it could lead to unauthorized data access and manipulation, ultimately compromising user privacy and security on these platforms.

Potential impact of CVE-2025-55177

  1. Unauthorized Data Access: Attackers could exploit this vulnerability to gain access to users' personal information or sensitive data through unauthorized URL processing, compromising user confidentiality.

  2. Targeted Attacks: When leveraged in conjunction with specific OS-level vulnerabilities, such as CVE-2025-43300, CVE-2025-55177 could enable sophisticated attacks aimed at particular users, significantly raising the stakes for targeted individuals.

  3. User Trust Erosion: Exploitations of this nature may lead to a loss of trust in the platform as users become aware of potential security flaws, thereby impacting user retention and overall reputation.

CISA has reported CVE-2025-55177

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-55177 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

WhatsApp Business for iOS 2.22.25.2 < 2.25.21.78

WhatsApp Desktop for Mac 2.22.25.2 < 2.25.21.78

WhatsApp for iOS 2.22.25.2 < 2.25.21.73

News Articles

favicon imageThe Hacker News

CISA Adds TP-Link and WhatsApp Flaws to KEV Catalog Amid Active Exploitation

CISA adds TP-Link CVE-2020-24363 and WhatsApp CVE-2025-55177 to KEV; mitigations required by Sept 23, 2025.

2 weeks ago

favicon imageMalwarebytes

WhatsApp fixes vulnerability used in zero-click attacks

WhatsApp has patched a vulnerability that was used in conjunction with an Apple vulnerability in zero-click attacks.

2 weeks ago

favicon imageThe Hacker News

WhatsApp Issues Emergency Update for Zero-Click Exploit Targeting iOS and macOS Devices

WhatsApp patched CVE-2025-55177 zero-day linked with Apple CVE-2025-43300, exploited in spyware attacks.

3 weeks ago

References

https://www.facebook.com/security/advisories/cve-2025-55177
x_refsource_CONFIRM
https://www.whatsapp.com/security/advisories/2025/
x_refsource_CONFIRM

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ₯‡

    Vulnerability reached the number 1 worldwide trending spot

  • πŸ¦…

    CISA Reported

  • πŸ“ˆ

    Vulnerability started trending

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ“°

    First article discovered by The Hacker News

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-55177 : Incomplete Authorization in WhatsApp for iOS and Mac Linked Device Synchronization