WhatsApp disclosed a zero-click vulnerability (CVE-2025-55177) in its iOS and macOS apps, exploited in targeted zero-day attacks alongside an Apple OS-level flaw (CVE-2025-43300). The flaw allowed attackers to bypass authorization and force devices to process malicious content from arbitrary URLs, enabling spyware deployment (e.g., Paragon’s *Graphite*). WhatsApp confirmed the attacks were highly sophisticated, likely state-sponsored, targeting journalists, civil society members, and high-profile individuals over 90 days. While WhatsApp patched the issue and warned affected users, the malware may persist on compromised devices, requiring factory resets. The attack mirrors a March 2025 incident where WhatsApp disrupted a Paragon spyware campaign exploiting a similar zero-day. The combination of WhatsApp and Apple OS vulnerabilities suggests advanced persistent threat (APT) actors leveraged multi-stage exploits to infiltrate devices silently, exfiltrate data, and maintain persistence. No evidence of mass data breaches was reported, but the targeted nature implies high-value intelligence gathering, potentially compromising sensitive communications, contacts, and device integrity of victims. Users were urged to update software and reset devices to mitigate risks.
TPRM report: https://www.rankiteo.com/company/whatsapp.
"id": "wha28105328090725",
"linkid": "whatsapp.",
"type": "Vulnerability",
"date": "3/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'customers_affected': 'Targeted users (journalists, '
'civil society members, '
'high-risk individuals)',
'industry': 'Messaging/Communication',
'location': 'Global',
'name': 'WhatsApp (Meta Platforms, Inc.)',
'size': 'Large (2+ billion users)',
'type': 'Technology company'}],
'attack_vector': ['Zero-click exploit',
'Linked device synchronization vulnerability',
'Arbitrary URL processing'],
'customer_advisories': ['Factory reset recommended for potentially '
'compromised devices.',
'Keep WhatsApp and device OS updated to latest '
'versions.',
'Monitor for unusual device behavior (indicative of '
'spyware).'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (spyware capable of exfiltrating '
'sensitive user data)',
'type_of_data_compromised': ['Device metadata',
'Potential communications (via '
'spyware)',
'User activity']},
'date_publicly_disclosed': '2025-09-20',
'date_resolved': '2025-09-20',
'description': 'WhatsApp patched a zero-click security vulnerability '
'(CVE-2025-55177) in its iOS and macOS clients, exploited in '
'targeted attacks. The flaw, combined with an Apple OS-level '
'zero-day (CVE-2025-43300), enabled sophisticated spyware '
'campaigns. WhatsApp warned select users of potential '
"compromise via advanced spyware (e.g., Paragon's Graphite) "
'and advised factory resets. The attack leveraged incomplete '
'authorization in linked device synchronization to process '
"arbitrary URLs on targets' devices.",
'impact': {'brand_reputation_impact': ['Potential erosion of trust due to '
'targeted spyware attacks'],
'data_compromised': ['Potential device compromise',
'Spyware installation (e.g., Graphite)'],
'identity_theft_risk': ['High (via spyware capabilities)'],
'operational_impact': ['User notifications',
'Factory reset recommendations',
'Ongoing risk of device compromise'],
'systems_affected': ['WhatsApp for iOS (<2.25.21.73)',
'WhatsApp Business for iOS (<2.25.21.78)',
'WhatsApp for Mac (<2.25.21.78)',
'Apple iOS/macOS (via CVE-2025-43300)']},
'initial_access_broker': {'backdoors_established': ['Paragon Graphite spyware '
'(suspected)'],
'entry_point': 'Linked device synchronization '
'messages (WhatsApp vulnerability)',
'high_value_targets': ['Journalists',
'Civil society members',
'Activists']},
'investigation_status': 'Ongoing (limited details disclosed; collaboration '
'with Apple and third-party researchers)',
'lessons_learned': ['Zero-click vulnerabilities in messaging apps remain '
'high-value targets for APT groups.',
'Cross-platform vulnerabilities (e.g., WhatsApp + Apple '
'OS) amplify attack impact.',
'Proactive user notifications and remediation guidance '
'are critical for targeted attacks.'],
'motivation': ['Espionage', 'Targeted surveillance'],
'post_incident_analysis': {'corrective_actions': ['Patched WhatsApp iOS/macOS '
'clients to version '
'2.25.21.73+.',
'Enhanced monitoring for '
'linked device '
'synchronization abuses.',
'Collaboration with Apple '
'to address OS-level '
'zero-day (CVE-2025-43300).',
'Proactive user '
'notifications for targeted '
'individuals.'],
'root_causes': ['Incomplete authorization in '
"WhatsApp's linked device "
'synchronization.',
'Lack of user interaction '
'requirements for exploit '
'execution (zero-click).',
'Cross-platform dependency risks '
'(WhatsApp + Apple OS '
'vulnerabilities).']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Implement stricter authorization controls for linked '
'device synchronization.',
'Enhance collaboration with OS vendors (e.g., Apple) to '
'mitigate cross-platform risks.',
'Expand threat intelligence sharing with civil society '
'organizations (e.g., Citizen Lab, Amnesty '
'International).',
'Accelerate patch deployment for zero-day vulnerabilities '
'in widely used applications.'],
'references': [{'date_accessed': '2025-09-20',
'source': 'WhatsApp Security Advisory (CVE-2025-55177)',
'url': 'https://www.whatsapp.com/security/advisories/2025'},
{'date_accessed': '2025-09-20',
'source': 'BleepingComputer - WhatsApp patches zero-day used '
'in Paragon spyware attacks',
'url': 'https://www.bleepingcomputer.com/news/security/whatsapp-patches-zero-day-used-in-paragon-spyware-attacks/'},
{'date_accessed': '2025-09-20',
'source': 'Amnesty International Security Lab Statement',
'url': 'https://www.amnesty.org/en/latest/news/2025/09/whatsapp-spyware-campaign-targets-journalists/'},
{'date_accessed': '2025-09-15',
'source': 'Apple Security Updates (CVE-2025-43300)',
'url': 'https://support.apple.com/en-us/HT214023'}],
'response': {'communication_strategy': ['Direct alerts to targeted users',
'Public security advisory',
'Media statements'],
'containment_measures': ['Patching vulnerable WhatsApp versions '
'(iOS/macOS)',
"Disrupting Paragon's Graphite spyware "
'campaign'],
'incident_response_plan_activated': True,
'remediation_measures': ['User notifications',
'Factory reset recommendations',
'OS/software update advisories'],
'third_party_assistance': ['Amnesty International Security Lab',
"University of Toronto's Citizen "
'Lab']},
'stakeholder_advisories': ['Targeted users notified via in-app alerts with '
'remediation steps.',
'Public advisory urging updates to WhatsApp and '
'device OS.'],
'threat_actor': ['Paragon (suspected)',
'Advanced persistent threat (APT) actors'],
'title': 'WhatsApp Zero-Day Vulnerability (CVE-2025-55177) Exploited in '
'Targeted Spyware Attacks',
'type': ['Zero-day exploit', 'Spyware campaign', 'Targeted attack'],
'vulnerability_exploited': ['CVE-2025-55177 (WhatsApp incomplete '
'authorization)',
'CVE-2025-43300 (Apple OS-level zero-day)']}