CVE-2025-55177

What is WhatsApp Linked Devices?

WhatsApp is the world's most widely used end-to-end encrypted messaging platform, with over 2 billion active users. Its end-to-end encryption and strong privacy reputation make it the communication platform of choice for government officials, journalists, human rights workers, activists, and executives handling sensitive discussions. The "linked devices" feature allows a single WhatsApp account to operate simultaneously across multiple devices — iPhone, iPad, Mac, and Web — by sending cryptographic synchronization messages between the primary device and linked devices to keep account state consistent. This synchronization channel is a critical trust boundary: it must only accept messages originating from the account owner's legitimate devices.

Overview

CVE-2025-55177 is an authorization flaw in WhatsApp's linked device synchronization protocol for iOS and macOS. The client fails to adequately verify that incoming synchronization messages originate from a device legitimately linked to the target's own account. An attacker — who holds any WhatsApp account — can craft spoofed synchronization messages that the victim's WhatsApp client accepts and acts upon, causing it to process attacker-supplied content including loading URLs from attacker-controlled servers.

The vulnerability was exploited as part of a zero-click chain with CVE-2025-43300 (an out-of-bounds write in Apple's ImageIO framework during DNG image processing). The full chain required no user interaction: the spoofed sync message (CVE-2025-55177) caused WhatsApp to auto-process a malformed DNG image → the ImageIO overflow (CVE-2025-43300) achieved arbitrary code execution on the device. Meta confirmed approximately 200 targeted victims over the three months preceding disclosure.

Affected Versions

Android WhatsApp is not affected because the linked device synchronization implementation differs between iOS/macOS and Android.

Technical Details

CWE-863 (Incorrect Authorization). WhatsApp's iOS/macOS client processes incoming linked device synchronization protocol messages — messages that should only come from the user's own trusted devices. The authorization logic fails to sufficiently verify message provenance, accepting spoofed synchronization messages from an attacker's account as if they originated from the victim's own linked device.

CVE-2025-55177 alone causes the victim's WhatsApp client to process attacker-supplied content and initiate outbound network requests to attacker-controlled URLs. This enables data exfiltration and server-side request forgery against the victim's device.

Zero-click chain with CVE-2025-43300:

1. Attacker sends a spoofed sync message via CVE-2025-55177.
2. The message causes WhatsApp to automatically load a malformed DNG image from an attacker-controlled URL.
3. Apple's ImageIO framework processes the DNG and triggers an out-of-bounds write (CVE-2025-43300).
4. The memory corruption enables arbitrary code execution in WhatsApp's process context.
5. No user action — no tap, no swipe, no preview — is required at any step.

The chain delivers full code execution on a target's iPhone or Mac simply by knowing their WhatsApp phone number.

Discovery

Attribution was not publicly named by Meta. The confirmed targeting of approximately 200 high-value individuals over three months is consistent with commercial spyware operations (NSO Group, Intellexa, and similar vendors that sell zero-click iOS exploit chains to government customers). Meta recommended full device factory reset for confirmed targets alongside WhatsApp and iOS/macOS updates.

Exploitation Context

Meta confirmed approximately 200 targeted individuals over the three months preceding the August 29, 2025 disclosure — highly selective targeting consistent with commercial surveillance tooling used against journalists, dissidents, government officials, and human rights workers. CISA added the CVE to the KEV catalog on September 2, three days after publication, with a 21-day federal remediation deadline.

The iOS-only scope of the vulnerability (Android not affected) aligns with the commercial spyware market, where iOS zero-days command a significant premium due to iOS's large share of high-value government and enterprise device deployments. The zero-click delivery mechanism — no interaction required from the victim — is the gold standard capability for targeted surveillance operators.

Remediation

1. Update WhatsApp to iOS/macOS 2.25.21.73 (or 2.25.21.78 for Business/Mac) immediately through the App Store or Mac App Store.
2. Also ensure iOS / iPadOS / macOS is updated to the version that patches CVE-2025-43300 (the companion ImageIO vulnerability in the chain).
3. For individuals at high risk of targeted surveillance: enable Lockdown Mode on iPhone and iPad (Settings → Privacy & Security → Lockdown Mode), which restricts external message processing and significantly reduces the attack surface for zero-click chains.
4. If you were notified by Meta or a security researcher as a potential victim: follow Meta's recommendation to perform a full factory reset of affected devices and restore from a backup predating the suspected compromise window.
5. Enable automatic app updates to ensure future WhatsApp security patches are applied promptly.
6. Enterprise environments managing iOS/macOS devices should enforce minimum WhatsApp version requirements via MDM policy.