CVE-2025-55177
published 2025-08-29CVE-2025-55177: Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and…
PriorityP182medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2025-09-23
Exploited in the wild
EPSS
4.12%
89.5th percentile
Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| >= 2.22.25.2 < 2.25.21.73 | 2.25.21.73 | ||
| >= 2.22.25.2 < 2.25.21.78 | 2.25.21.78 | ||
| whatsapp_business | >= 2.22.25.2 < 2.25.21.78 | 2.25.21.78 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-55177 is a zero-click vulnerability exploited via linked device synchronization messages in WhatsApp for iOS/Mac; an unrelated user can trigger processing of content from an arbitrary URL on the target's device without user interaction ↗
- →CVE-2025-55177 was chained with CVE-2025-43300 (Apple iOS/macOS out-of-bounds write) in a sophisticated exploit chain; detections should look for both vulnerabilities being triggered in combination ↗
- →The LandFall spyware campaign used malformed .DNG raw image files with a .ZIP archive appended at the end as the delivery mechanism via WhatsApp, related to the same CVE-2025-55177/CVE-2025-43300 exploitation chain involving DNG format ↗
- →LandFall spyware loader component is named 'b.so' and SELinux policy manipulator is named 'l.so'; monitor for these filenames on Android devices in the context of WhatsApp-delivered content ↗
- →VirusTotal samples related to LandFall/WhatsApp delivery were submitted starting July 23, 2024; filenames on VirusTotal indicated WhatsApp as the delivery channel ↗
- →No proof-of-concept or technical details have been published for CVE-2025-55177; exploitation was confirmed in the wild against targeted individuals (journalists, lawyers, activists, politicians, senior officials) ↗
- ·CVE-2025-55177 affects WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS prior to v2.25.21.78, and WhatsApp for Mac prior to v2.25.21.78; detections should verify version scope ↗
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
vulncheck10.0CRITICAL
cisa5.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f7wf-m2qg-r9rx: Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2
ghsa_unreviewed·2025-08-29·CVSS 10.0
CVE-2025-55177 [CRITICAL] CWE-863 GHSA-f7wf-m2qg-r9rx: Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2
Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.
VulnCheck
Meta Platforms WhatsApp Incorrect Authorization Vulnerability
vulncheck·2025·CVSS 5.4
CVE-2025-55177 [MEDIUM] CWE-863 Meta Platforms WhatsApp Incorrect Authorization Vulnerability
Meta Platforms WhatsApp Incorrect Authorization Vulnerability
Meta Platforms WhatsApp contains an incorrect authorization vulnerability due to an incomplete authorization of linked device synchronization messages. This vulnerability could allow an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.
Affected: Meta Platforms WhatsApp
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.whatsapp.com/security/advisories/2025/; https://socprime.com/blog/latest-threats/cve-2025-55177-vulnerability/;
VulnCheck
Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability
vulncheck·2025·CVSS 10.0
CVE-2025-43300 [CRITICAL] CWE-787 Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability
Apple iOS, iPadOS, and macOS Out-of-Bounds Write Vulnerability
Apple iOS, iPadOS, and macOS contain an out-of-bounds write vulnerability in the Image I/O framework.
Affected: Apple iOS, iPadOS, and macOS
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://nvd.nist.gov/vuln/detail/CVE-2025-43300; https://support.apple.com/en-us/124925; https://support.apple.com/en-us/124926; https://support.apple.com/en-us/124927; https://support.apple.com/en-us/124928; https://support.apple.com/en-us/124929; https://www.acn.gov.it/portale/w/aggiornament
CISA
Meta Platforms WhatsApp Incorrect Authorization Vulnerability
cisa·2025-09-02·CVSS 5.4
CVE-2025-55177 [MEDIUM] CWE-863 Meta Platforms WhatsApp Incorrect Authorization Vulnerability
Vulnerability: Meta Platforms WhatsApp Incorrect Authorization Vulnerability
Affected: Meta Platforms WhatsApp
Meta Platforms WhatsApp contains an incorrect authorization vulnerability due to an incomplete authorization of linked device synchronization messages. This vulnerability could allow an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.whatsapp.com/security/advisories/2025/ ; https://nvd.nist.gov/vuln/detail/CVE-2025-55177
Remediation Due Date: 2025-09-23
No detection rules found.
No public exploits indexed.
Bleepingcomputer
New LandFall spyware exploited Samsung zero-day via WhatsApp messages
blogs_bleepingcomputer·2025-11-07·CVSS 8.8
[HIGH] New LandFall spyware exploited Samsung zero-day via WhatsApp messages
## New LandFall spyware exploited Samsung zero-day via WhatsApp messages
## Bill Toulas
According to researchers at Palo Alto Networks’ Unit 42, the LandFall spyware is likely a commercial surveillance framework used in targeted intrusions.
The attacks begin with the delivery of a malformed .DNG raw image format with a .ZIP archive appended towards the end of the file.
Unit 42 researchers retrieved and examined samples that were submitted to the VirusTotal scanning platform starting July 23, 2024, indicating WhatsApp as the delivery channel, based on the filenames used.
From a technical perspective, the DNGs embed two main components: a loader ( b.so ) that can retrieve and load additional modules, and a SELinux policy manipulator ( l.so ), which modifies security settings on the devi
Unit42
LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
blogs_unit42·2025-11-07·CVSS 8.8
CVE-2025-21042 [HIGH] LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
## Executive Summary
Unit 42 researchers have uncovered a previously unknown Android spyware family, which we have named LANDFALL. To deliver the spyware, attackers exploited a zero-day vulnerability (CVE-2025-21042) in Samsung’s Android image processing library. The specific flaw LANDFALL exploited, CVE-2025-21042, is not an isolated case but rather part of a broader pattern of similar issues found on multiple mobile platforms.
This vulnerability was actively exploited in the wild before Samsung patched it in April 2025, following reports of in-the-wild attacks. However, the exploit itself — and the commercial-grade spyware used with it — have not yet been publicly reported and analyzed.
LANDFALL was embedded in malicious image files (DNG file format) that appear to have been sent via
Unit42
LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
blogs_unit42·2025-11-07·CVSS 8.8
CVE-2025-21042 [HIGH] LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
Threat Research Center
Threat Research
Vulnerabilities
## LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
Unit 42
Published: November 7, 2025
Threat Research
Vulnerabilities
Android
Apple
CVE-2025-21042
CVE-2025-21043
CVE-2025-43300
CVE-2025-55177
Samsung
## Executive Summary
Unit 42 researchers have uncovered a previously unknown Android spyware family, which we have named LANDFALL. To deliver the spyware, attackers exploited a zero-day vulnerability (CVE-2025-21042) in Samsung’s Android image processing library. The specific flaw LANDFALL exploited, CVE-2025-21042, is not an isolated case but rather part of a broader pattern of similar issues found on multiple mobile platforms.
This vulnerability was actively exploited in the
Bleepingcomputer
Apple backports zero-day patches to older iPhones and iPads
blogs_bleepingcomputer·2025-09-16·CVSS 10.0
[CRITICAL] Apple backports zero-day patches to older iPhones and iPads
## Apple backports zero-day patches to older iPhones and iPads
## Sergiu Gatlan
An out-of-bounds write occurs when attackers supply maliciously crafted input to a program that causes it to write data outside the allocated memory buffer, potentially triggering crashes, corrupting data, or even allowing remote code execution.
Apple has now addressed this zero-day flaw in iOS 15.8.5 / 16.7.12, as well as iPadOS 15.8.5 / 16.7.12, with improved bounds checks.
"Processing a malicious image file may result in memory corruption. An out-of-bounds write issue was addressed with improved bounds checking," the company said in Monday advisories .
"Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals."
The lis
Bleepingcomputer
Samsung patches actively exploited zero-day reported by WhatsApp
blogs_bleepingcomputer·2025-09-12·CVSS 8.8
CVE-2025-21043 [HIGH] Samsung patches actively exploited zero-day reported by WhatsApp
## Samsung patches actively exploited zero-day reported by WhatsApp
## Sergiu Gatlan
Samsung has patched a remote code execution vulnerability that was exploited in zero-day attacks targeting its Android devices.
Tracked as CVE-2025-21043, this critical security flaw affects Samsung devices running Android 13 or later and was reported by the security teams of Meta and WhatsApp on August 13.
As Samsung explains in a recently updated advisory , this vulnerability was discovered in libimagecodec.quram.so (a closed-source image parsing library developed by Quramsoft that implements support for various image formats) and is caused by an out-of-bounds write weakness that allows attackers to execute malicious code on vulnerable devices remotely .
"Out-of-bounds Write in libimagecodec.quram.s
Bleepingcomputer
Apple warns customers targeted in recent spyware attacks
blogs_bleepingcomputer·2025-09-11·CVSS 10.0
[CRITICAL] Apple warns customers targeted in recent spyware attacks
## Apple warns customers targeted in recent spyware attacks
## Sergiu Gatlan
Apple warned customers last week that their devices were targeted in a new series of spyware attacks, according to the French national Computer Emergency Response Team (CERT-FR).
CERT-FR is operated by ANSSI, the National Cybersecurity Agency, and is responsible for preventing and mitigating cybersecurity-related incidents impacting public and critical organizations.
According to a Thursday advisory, CERT-FR is aware of at least four instances of Apple threat notifications alerting the company's users about mercenary spyware attacks that have occurred since the beginning of the year.
These alerts were sent on March 5, April 29, June 25, and last week, on September 3, to the phone numbers and email addresses a
Krebs
Microsoft Patch Tuesday, September 2025 Edition
blogs_krebs·2025-09-09·CVSS 8.8
[HIGH] Microsoft Patch Tuesday, September 2025 Edition
Microsoft Corp. today issued security updates to fix more than 80 vulnerabilities in its Windows operating systems and software. There are no known “zero-day” or actively exploited vulnerabilities in this month’s bundle from Redmond, which nevertheless includes patches for 13 flaws that earned Microsoft’s most-dire “critical” label. Meanwhile, both Apple and Google recently released updates to fix zero-day bugs in their devices.
Microsoft assigns security flaws a “critical” rating when malware or miscreants can exploit them to gain remote access to a Windows system with little or no help from users. Among the more concerning critical bugs quashed this month is CVE-2025-54918 . The problem here resides with Windows NTLM , or NT LAN Manager, a suite of code for managing authentication in a
Krebs
Microsoft Patch Tuesday, September 2025 Edition
blogs_krebs·2025-09-09·CVSS 8.8
[HIGH] Microsoft Patch Tuesday, September 2025 Edition
Microsoft Corp. today issued security updates to fix more than 80 vulnerabilities in its Windows operating systems and software. There are no known “zero-day” or actively exploited vulnerabilities in this month’s bundle from Redmond, which nevertheless includes patches for 13 flaws that earned Microsoft’s most-dire “critical” label. Meanwhile, both Apple and Google recently released updates to fix zero-day bugs in their devices.
Microsoft assigns security flaws a “critical” rating when malware or miscreants can exploit them to gain remote access to a Windows system with little or no help from users. Among the more concerning critical bugs quashed this month is CVE-2025-54918. The problem here resides with Windows NTLM, or NT LAN Manager, a suite of code for managing authentication in a Wi
Checkpoint
8th September – Threat Intelligence Report
blogs_checkpoint·2025-09-08
CVE-2025-55177 8th September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 8th September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 8th September, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
A supply chain breach involving Salesloft’s Drift integration to Salesforce exposed sensitive customer data from multiple organizations, including Cloudflare, Zscaler, Palo Alto Networks, and Workiva. The attackers accessed Salesforce CRM systems via compromised OAuth tokens, stealing contact details, account records, s
Talos
From summer camp to grind season
blogs_talos·2025-09-04
From summer camp to grind season
## From summer camp to grind season
Welcome to this week’s edition of the Threat Source newsletter.
This is the way the world ends This is the way the world ends This is the way the world ends Not with a bang but a whimper. – T.S. Eliot
So this is how Summer Camp 2025 ends, not with a bang but a whimper. We’ve put the summer behind us and are moving on to the next phase of the year, where we all put our noses down and grind from here to the holiday season. Happy Grind Season 2025.
As you know, threat research never takes a day off, but I’m going to step in and remind you all to look at your calendars. Decide, here and now, to take some time before that holiday season so that you can take care of your mental health, because mental health is health.
This is doubly important if you lead
Talos
From summer camp to grind season
blogs_talos·2025-09-04
From summer camp to grind season
Welcome to this week’s edition of the Threat Source newsletter.
This is the way the world ends
This is the way the world ends
This is the way the world ends
Not with a bang but a whimper. – T.S. Eliot
So this is how Summer Camp 2025 ends, not with a bang but a whimper. We’ve put the summer behind us and are moving on to the next phase of the year, where we all put our noses down and grind from here to the holiday season. Happy Grind Season 2025.
As you know, threat research never takes a day off, but I’m going to step in and remind you all to look at your calendars. Decide, here and now, to take some time before that holiday season so that you can take care of your mental health, because mental health is health.
This is doubly important if you lead a team of people. Take a minute and m
Checkpoint
1st September – Threat Intelligence Report
blogs_checkpoint·2025-09-01
CVE-2025-55177 1st September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 1st September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 1st September, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
American consumer credit reporting agency TransUnion has suffered a data breach that resulted in the exposure of sensitive personal information for over 4.4 million individuals in the United States. The leaked data includes names, billing addresses, phone numbers, email addresses, dates of birth, unredacted Social Secur
Bleepingcomputer
WhatsApp patches vulnerability exploited in zero-day attacks
blogs_bleepingcomputer·2025-08-29·CVSS 10.0
CVE-2025-55177 [CRITICAL] WhatsApp patches vulnerability exploited in zero-day attacks
## WhatsApp patches vulnerability exploited in zero-day attacks
## Sergiu Gatlan
WhatsApp has patched a security vulnerability in its iOS and macOS messaging clients that was exploited in targeted zero-day attacks.
The company says this zero-click flaw (tracked as CVE-2025-55177) affects WhatsApp for iOS prior to version 2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78.
"Incomplete authorization of linked device synchronization messages in WhatsApp [..] could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target's device," WhatsApp said in a Friday security advisory .
"We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploite
Recorded Future
September 2025 CVE Landscape
blogs_recorded_future·CVSS 7.2
[HIGH] September 2025 CVE Landscape
# September 2025 CVE Landscape
In September 2025, Recorded Future’s Insikt Group® identified sixteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the eighteen identified in August, with the number of Very Critical vulnerabilities also decreasing (11) month over month.
These vulnerabilities have affected the following vendors: Sudo, Libraesva, Fortra, Cisco, Adminer, Google, Dassault Systèmes, Linux, Android, Sitecore, TP-Link, and Meta Platforms.
September was dominated by flaws in Cisco and TP-Link, which together represented six of the sixteen vulnerabilities. Cisco’s IOS, IOS XE, and Secure Firewall products were affected by flaws, including stack-based and classic buffer overflows (CWE-121, CWE-120) and missing authorization
Recorded Future
September 2025 CVE Landscape
blogs_recorded_future·CVSS 7.2
[HIGH] September 2025 CVE Landscape
## September 2025 CVE Landscape
In September 2025, Recorded Future’s Insikt Group® identified sixteen high-impact vulnerabilities that should be prioritized for remediation. This represents a decrease from the eighteen identified in August, with the number of Very Critical vulnerabilities also decreasing (11) month over month.
These vulnerabilities have affected the following vendors: Sudo, Libraesva, Fortra, Cisco, Adminer, Google, Dassault Systèmes, Linux, Android, Sitecore, TP-Link, and Meta Platforms.
September was dominated by flaws in Cisco and TP-Link, which together represented six of the sixteen vulnerabilities. Cisco’s IOS, IOS XE, and Secure Firewall products were affected by flaws, including stack-based and classic buffer overflows (CWE-121, CWE-120) and missing authorizatio
2025-08-29
Published
2025-09-02
Added to CISA KEV
Exploited in the wild