CVE-2025-55177: 
WhatsApp vulnerability analysis and mitigation

A high-severity vulnerability identified as CVE-2025-55177 was discovered in WhatsApp's linked device synchronization mechanism. The vulnerability affects WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78. The flaw stems from incomplete authorization of linked device synchronization messages that could allow an unrelated user to trigger processing of content from an arbitrary URL on a target's device (NVD, Hacker News).

The vulnerability has been assigned a CVSS score of 5.4 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. It has been classified under CWE-863 (Incorrect Authorization). The flaw specifically relates to insufficient authorization in the linked device synchronization message processing system, which could be exploited in conjunction with an Apple OS-level vulnerability (CVE-2025-43300) (NVD, Hacker News).

The vulnerability has been identified as part of a sophisticated zero-click attack campaign targeting specific individuals. WhatsApp has notified less than 200 users who may have been targeted in the past 90 days. The attack is reported to impact both iPhone and Android users, with civil society individuals among the targets (Hacker News).

WhatsApp has released patches for all affected versions: WhatsApp for iOS (v2.25.21.73) on July 28, 2025, and WhatsApp Business for iOS and WhatsApp for Mac (v2.25.21.78) on August 4, 2025. Users are advised to perform a full device factory reset and ensure both their operating system and WhatsApp application are up-to-date (Hacker News).

Donncha Ó Cearbhaill, head of the Security Lab at Amnesty International, has highlighted the serious nature of this vulnerability, particularly its impact on civil society. The security community has expressed concern about the continued threat of government spyware targeting journalists and human rights defenders (Hacker News).