WhatsApp on Friday announced it patched a zero-day vulnerability it believes was used to launch sophisticated attacks against specific individuals.
The Meta-owned messaging platform said in a security advisory that the bug, labeled CVE-2025-55177, involves “incomplete authorization of linked device synchronization messages.”
The issue “could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device,” the advisory says.
WhatsApp believes the vulnerability could have been combined with a separate OS-level vulnerability on Apple devices (CVE-2025-43300) to potentially launch sophisticated attacks against “specific targeted users,” the advisory says.
Apple, which patched CVE-2025-43300 on August 20, has described it as an “out-of-bounds write issue.”
The tech giant said it is “aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”
CVE-2025-43300 affected Apple’s iOS, iPadOS and macOS products.
No technical details were released by either company.
In 2019, WhatsApp was exploited with a zero-day attack carried out by the NSO Group, which manufactures the zero-click spyware known as Pegasus. That attack impacted some 1,400 Apple users and resulted in a court finding holding NSO Group liable.
In January WhatsApp accused a separate spyware company, Paragon, of targeting about 90 of its users with spyware. Digital forensic experts from the Citizen Lab subsequently verified some of those attacks occurred.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.
