WhatsApp Bug Anchors Targeted Zero-Click iPhone Attacks

Attackers are exploiting a WhatsApp security vulnerability affecting iPhone iOS in a "sophisticated" zero-click attack against targeted Apple users. The campaign also uses a previously discovered and patched iOS flaw, CVE-2025-43300, known to be used in other attacks. The incidents, which have affected about 200 people so far, have spurred the US government to urge users across its federal workforce to update their devices immediately.

The new bug (CVE-2025-55177, CVSS 5.4) affects Meta's WhatsApp chat application and could "allow an unrelated user to trigger processing of content from an arbitrary URL on a target’s device," according to an advisory posted Tuesday by the Cybersecurity and Infrastructure and Security Agency (CISA). The flaw, characterized in an advisory by WhatsApp as an "incomplete authorization of linked device synchronization messages" issue, affects iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78.

"We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users," according to WhatsApp's advisory. The company has since updated its app to fix the flaw, so users should update to the latest version.

The previously disclosed Apple flaw is an out-of-bounds write issue that was used in zero-day attacks in August that were also described as "extremely sophisticated" targeted attacks against specific users. It affects iOS, iPadOS, and macOS, and Apple patched it on Aug. 20. "Processing a malicious image file may result in memory corruption," according to Apple's security advisory for the bug. Its update addressed the vulnerability with improved bounds checking in the latest versions of the OSes.