cbcvebase.
CVE-2025-55177
published 2025-08-29

CVE-2025-55177: Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and…

PriorityP182medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-09-23
Exploited in the wild
EPSS
4.12%
89.5th percentile
Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.

Affected

3 ranges
VendorProductVersion rangeFixed in
whatsappwhatsapp>= 2.22.25.2 < 2.25.21.732.25.21.73
whatsappwhatsapp>= 2.22.25.2 < 2.25.21.782.25.21.78
whatsappwhatsapp_business>= 2.22.25.2 < 2.25.21.782.25.21.78

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-55177 is a zero-click vulnerability exploited via linked device synchronization messages in WhatsApp for iOS/Mac; an unrelated user can trigger processing of content from an arbitrary URL on the target's device without user interaction
  • CVE-2025-55177 was chained with CVE-2025-43300 (Apple iOS/macOS out-of-bounds write) in a sophisticated exploit chain; detections should look for both vulnerabilities being triggered in combination
  • The LandFall spyware campaign used malformed .DNG raw image files with a .ZIP archive appended at the end as the delivery mechanism via WhatsApp, related to the same CVE-2025-55177/CVE-2025-43300 exploitation chain involving DNG format
  • LandFall spyware loader component is named 'b.so' and SELinux policy manipulator is named 'l.so'; monitor for these filenames on Android devices in the context of WhatsApp-delivered content
  • VirusTotal samples related to LandFall/WhatsApp delivery were submitted starting July 23, 2024; filenames on VirusTotal indicated WhatsApp as the delivery channel
  • No proof-of-concept or technical details have been published for CVE-2025-55177; exploitation was confirmed in the wild against targeted individuals (journalists, lawyers, activists, politicians, senior officials)
  • ·CVE-2025-55177 affects WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS prior to v2.25.21.78, and WhatsApp for Mac prior to v2.25.21.78; detections should verify version scope

CVSS provenance

nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
vulncheck10.0CRITICAL
cisa5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.