A zero-day vulnerability (CVE-2025-55177) was discovered in WhatsApp’s linked-device synchronization feature, allowing unauthorized users to force a target device to process malicious content from arbitrary URLs. When combined with an Apple OS-level flaw (CVE-2025-43300), this could enable remote exploitation via image previews—bypassing user interaction. The NCC Group’s assessment further revealed risks in WhatsApp’s Message Summarization Service, including potential leakage of secret user data, reuse of outdated Trusted Execution Environment (TEE) images with known vulnerabilities, and full container access privileges for attackers. Exploitation could also compromise RA-TLS private keys, enabling attacker impersonation of secure containers. While Meta mitigated risks with layered defenses and runtime attestation, the vulnerabilities posed a high-risk vector for targeted attacks, data exfiltration, and unauthorized system access. CISA issued urgent advisories, recommending patching, network monitoring, and temporary avoidance of WhatsApp until fixes were deployed.
TPRM report: https://www.rankiteo.com/company/meta
"id": "met2064520090625",
"linkid": "meta",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Targeted users (specific '
'individuals/organizations)',
'industry': 'Social Media/Messaging',
'location': 'Global',
'name': 'Meta Platforms (WhatsApp)',
'size': 'Large (Enterprise)',
'type': 'Technology Company'},
{'customers_affected': 'Users of vulnerable iOS/Mac '
'devices',
'industry': 'Consumer Electronics/Software',
'location': 'Global',
'name': 'Apple Inc.',
'size': 'Large (Enterprise)',
'type': 'Technology Company'}],
'attack_vector': ['Linked-device synchronization messages',
'Malicious image processing (via image IO library)',
'Exploitation of OS-level vulnerability (CVE-2025-43300)'],
'customer_advisories': ['Patch WhatsApp immediately',
'Disable app if unable to patch',
'Monitor for suspicious activity'],
'data_breach': {'data_exfiltration': ['Potential (via CVM exploitation)',
'Arbitrary URL content processing'],
'file_types_exposed': ['Image files (via malicious image IO '
'exploitation)',
'Synchronization messages'],
'personally_identifiable_information': 'Potential (if user '
'data leaked)',
'sensitivity_of_data': 'High (cryptographic keys, user '
'messages)',
'type_of_data_compromised': ['User data (potential)',
'RA-TLS private keys (risk)',
'Container access privileges']},
'description': 'A zero-day vulnerability (CVE-2025-55177) was discovered in '
'WhatsApp, allowing unauthorized processing of content from '
'arbitrary URLs via linked-device synchronization messages. '
'The flaw, combined with an Apple OS-level vulnerability '
'(CVE-2025-43300), was exploited in sophisticated attacks '
'targeting specific users. CISA advised patching and disabling '
'WhatsApp until a secure version was deployed. A separate NCC '
'Group assessment revealed additional risks in WhatsApp’s '
'Message Summarization Service, including potential data leaks '
'and exploitation of outdated Trusted Execution Environment '
'(TEE) images.',
'impact': {'brand_reputation_impact': ['Erosion of trust in WhatsApp/Meta '
'security',
'Concerns over transparency and '
'open-source verification'],
'data_compromised': ['User data (potential leakage)',
'RA-TLS private keys (risk of exposure)',
'Container access privileges'],
'identity_theft_risk': ['Potential (via data exfiltration)',
'RA-TLS key misuse'],
'operational_impact': ['Risk of unauthorized container access',
'Potential supplanting of CVM via RA-TLS '
'keys',
'Loss of user trust'],
'systems_affected': ['WhatsApp for iOS (prior to v2.25.21.73)',
'WhatsApp Business for iOS (prior to '
'v2.25.21.78)',
'WhatsApp for Mac (prior to v2.25.21.78)',
'Apple devices (via CVE-2025-43300)']},
'initial_access_broker': {'entry_point': ['Linked-device synchronization '
'messages',
'Malicious image files (via image '
'IO exploit)'],
'high_value_targets': 'Specific '
'individuals/organizations '
'(targeted attacks)'},
'investigation_status': 'Ongoing (NCC Group assessment published; CISA '
'advisory active)',
'lessons_learned': ['Criticality of patching both application and OS-level '
'vulnerabilities in tandem',
'Risks of outdated TEE images and CVM exploitation in '
'cloud services',
'Importance of verifiable transparency (open-source code, '
'reproducible builds)',
'Need for runtime attestation and layered defenses in '
'messaging platforms'],
'motivation': ['Targeted surveillance',
'Data exfiltration',
'Privilege escalation'],
'post_incident_analysis': {'corrective_actions': ['Released patches for '
'WhatsApp (iOS/Mac)',
'Enhanced runtime '
'attestation for critical '
'components',
'Client-side enforcement '
'for data consent',
'CISA-recommended traffic '
'monitoring for anomalies',
'NCC Group’s call for '
'open-source verification '
'and reproducible builds'],
'root_causes': ['Incomplete authorization in '
'WhatsApp linked-device '
'synchronization',
'OS-level vulnerability '
'(CVE-2025-43300) enabling chain '
'exploitation',
'Outdated TEE images with known '
'vulnerabilities',
'Automatic image loading without '
'user interaction (image IO '
'exploit)']},
'recommendations': ['Apply WhatsApp security patches immediately '
'(v2.25.21.73+ for iOS, v2.25.21.78+ for Mac)',
'Disable WhatsApp until secure version is confirmed (per '
'CISA advisory)',
'Monitor network traffic for unusual outbound HTTP '
'requests from WhatsApp clients',
'Enforce client-side consent for data egress',
'Adopt open-source verification and reproducible builds '
'for critical artifacts (per NCC Group)',
'Patch Apple devices to mitigate CVE-2025-43300',
'Avoid automatic image loading in messaging apps until '
'vulnerabilities are patched'],
'references': [{'source': 'CISA Advisory on WhatsApp Zero-Day '
'(CVE-2025-55177)'},
{'source': 'WhatsApp Security Advisory (CVE-2025-55177)'},
{'source': 'NCC Group WhatsApp Message Summarization Service '
'Assessment'},
{'source': 'ClearanceJobs Interview with Lawrence Pingree '
'(Dispersive)'},
{'source': 'ClearanceJobs Interview with Jared Samuel (NCC '
'Group)'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA advisory '
'issued']},
'response': {'communication_strategy': ['Public security advisory (WhatsApp)',
'CISA warning to organizations',
'NCC Group report publication'],
'containment_measures': ['Security patches released (WhatsApp '
'v2.25.21.73+)',
'Disabling linked-device sync from '
'unauthenticated endpoints',
'CISA advisory to monitor outbound HTTP '
'traffic'],
'enhanced_monitoring': ['Monitoring for unusual outbound HTTP '
'requests (CISA recommendation)'],
'incident_response_plan_activated': True,
'remediation_measures': ['Layered defense model (Meta)',
'Runtime attestation of critical '
'components',
'Client-side enforcement for data '
'consent'],
'third_party_assistance': ['NCC Group (security assessment)',
'CISA (advisory)']},
'stakeholder_advisories': ['CISA warning to organizations',
'WhatsApp user notifications (via app updates)'],
'title': 'Zero-Day Vulnerability in Meta’s WhatsApp (CVE-2025-55177) '
'Exploited in Targeted Attacks',
'type': ['Zero-day vulnerability',
'Unauthorized data processing',
'Targeted attack'],
'vulnerability_exploited': ['CVE-2025-55177 (WhatsApp incomplete '
'authorization)',
'CVE-2025-43300 (Apple OS-level vulnerability)',
'Outdated TEE image reuse',
'Confidential Virtual Machine (CVM) exploitation']}