Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-55177
CVE-2025-55177:
WhatsApp vulnerability analysis and mitigation
Overview
A security vulnerability (CVE-2025-55177) was discovered in WhatsApp's iOS and macOS messaging clients affecting WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78. The vulnerability involves incomplete authorization of linked device synchronization messages that could allow an unrelated user to trigger processing of content from an arbitrary URL on a target's device. The flaw was discovered by WhatsApp's internal Security Team and received a CVSS score of 5.4 (Medium) (Hacker News, BleepingComputer).
Technical details
The vulnerability is classified as an incorrect authorization issue (CWE-863) that specifically affects the linked device synchronization mechanism in WhatsApp. When combined with an OS-level vulnerability on Apple platforms (CVE-2025-43300), it creates a zero-click attack vector, meaning no user interaction is required for exploitation. The vulnerability received a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (Hacker News).
Impact
The vulnerability, when exploited in conjunction with CVE-2025-43300, enables sophisticated attacks against specific targeted users. The attack can compromise the target device and access its data, including messages, without requiring any user interaction. WhatsApp has confirmed that less than 200 users were targeted in this campaign over a 90-day period (TechCrunch, Hacker News).
Mitigation and workarounds
WhatsApp has released patches for the affected versions: WhatsApp for iOS users should update to version 2.25.21.73 or later, while WhatsApp Business for iOS and WhatsApp for Mac users should update to version 2.25.21.78 or later. For potentially compromised users, WhatsApp recommends performing a full device factory reset and keeping both the operating system and WhatsApp application up-to-date (BleepingComputer).
Community reactions
Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International, described the vulnerability as part of an advanced spyware campaign and emphasized that government spyware continues to pose a threat to journalists and human rights defenders. WhatsApp has sent in-app threat notifications to affected users, warning them about the sophisticated nature of the attack (Hacker News, TechCrunch).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management