A zero-click vulnerability in WhatsApp, tracked as CVE-2025-55177, has been actively exploited in the wild, targeting Apple devices. The flaw, which affects WhatsApp for iOS and macOS, allows attackers to trigger the processing of content from arbitrary URLs on a target's device without any user interaction. This vulnerability, which has been assigned a CVSS score of 5.4, was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on September 2, 2025, underscoring its active exploitation status.
The vulnerability stems from incomplete authorization of linked device synchronization messages in WhatsApp for iOS versions prior to 2.25.21.73, WhatsApp Business for iOS version 2.25.21.78, and WhatsApp for Mac version 2.25.21.78. This flaw allows an attacker to exploit the synchronization process to execute malicious actions on a victim's device, potentially leading to unauthorized access or data exfiltration.
The exploitation of CVE-2025-55177 is particularly concerning due to its zero-click nature, meaning that victims do not need to interact with the malicious payload for the attack to succeed. This characteristic makes it an attractive vector for spyware campaigns, as evidenced by its use in targeted attacks against Apple users. The vulnerability was exploited within just 3.3 days of its disclosure, highlighting the rapid pace at which threat actors can leverage newly discovered vulnerabilities.
Meta Platforms, the parent company of WhatsApp, has responded by releasing emergency updates to address the vulnerability. Users of affected versions are urged to update their applications immediately to mitigate the risk of exploitation. The updates are available for download through the App Store for iOS devices and the Mac App Store for macOS devices.
Security experts recommend that organizations using WhatsApp on Apple devices prioritize the deployment of these updates. Additionally, they should monitor network traffic for unusual activity that could indicate exploitation attempts, such as unexpected synchronization requests or connections to unfamiliar URLs.
While the CVSS score of 5.4 categorizes the vulnerability as medium severity, its inclusion in the KEV list and the active exploitation in the wild elevate its importance. The Security Severity Vulnerability Classification (SSVC) has marked this vulnerability as "attend," indicating that it requires immediate attention from security teams.
In conclusion, the rapid exploitation of CVE-2025-55177 serves as a reminder of the importance of timely patching and vigilant monitoring of network activity. As attackers continue to exploit zero-click vulnerabilities, organizations must remain proactive in their cybersecurity efforts to protect sensitive data and maintain the integrity of their systems.
CSURFACE