WhatsApp disclosed a zero-click exploit chain targeting specific users by combining a WhatsApp vulnerability (CVE-2025-55177) with an Apple Image I/O framework flaw (CVE-2025-43300). Attackers sent malicious messages to dozens of users, exploiting out-of-bounds memory writes in Apple’s image processing system and unauthorized WhatsApp message synchronization to compromise devices without user interaction. The attack allowed full device takeover, including access to messages, media, and other sensitive data. Affected users were advised to perform a factory reset, though residual malware risks persisted. The exploit leveraged a chained infection vector, primarily impacting iOS and Mac users, with Android devices potentially exposed via separate attack paths. WhatsApp patched the flaw in updates (iOS v2.25.21.73+, Mac v2.25.21.78+), but the incident highlighted the severity of zero-click threats in spyware campaigns, where no user action is required for compromise. Amnesty International linked the attack to advanced surveillance operations, emphasizing the risk to high-profile targets.
TPRM report: https://www.rankiteo.com/company/whatsapp.
"id": "wha810090225",
"linkid": "whatsapp.",
"type": "Vulnerability",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Dozens of targeted users (exact '
'number undisclosed)',
'industry': 'Technology/Social Media',
'location': 'Global',
'name': 'WhatsApp (Meta)',
'type': 'Messaging platform'},
{'customers_affected': 'iOS and Mac users with '
'unpatched devices',
'industry': 'Consumer Electronics/Software',
'location': 'Global',
'name': 'Apple Inc.',
'type': 'Technology company'}],
'attack_vector': ['Malicious message (WhatsApp)',
'Exploit chaining (Apple Image I/O + WhatsApp sync flaw)',
'Zero-click (no user interaction required)'],
'customer_advisories': ['Factory reset recommendation for potentially '
'compromised devices.',
'Urgent update prompts for WhatsApp and device OS.',
'Security best practices (e.g., enabling advanced '
'protection features).'],
'data_breach': {'data_exfiltration': 'Likely (spyware installation implied)',
'file_types_exposed': ['Image files (malicious payload)',
'Potentially all device-stored files'],
'personally_identifiable_information': 'High risk (if device '
'compromised)',
'sensitivity_of_data': 'High (personal messages, potentially '
'sensitive device data)',
'type_of_data_compromised': ['Messages',
'Device-stored data (potential '
'full access)']},
'description': 'WhatsApp patched a vulnerability (CVE-2025-55177) exploited '
'in conjunction with an Apple Image I/O framework '
'vulnerability (CVE-2025-43300) to compromise devices via '
'zero-click attacks. Attackers sent malicious messages to '
'dozens of users, leveraging an out-of-bounds write flaw in '
'Apple’s Image I/O and a WhatsApp synchronization message '
'authorization bypass. Affected users were advised to perform '
'a factory reset and update their devices. The attack targeted '
'both iPhone and Android users, though the most severe '
'zero-click risk applied primarily to Apple devices.',
'impact': {'brand_reputation_impact': 'Moderate (proactive disclosure and '
'mitigation may limit damage)',
'data_compromised': ['Messages',
'Device data (potential full access)'],
'identity_theft_risk': 'High (if spyware installed)',
'operational_impact': 'Potential full device compromise, including '
'spyware installation',
'payment_information_risk': 'Potential (if device fully '
'compromised)',
'systems_affected': ['iOS devices',
'Mac devices',
'Android devices (limited scope)']},
'initial_access_broker': {'backdoors_established': 'Likely (spyware '
'implantation implied)',
'entry_point': 'Malicious WhatsApp message '
'(zero-click)',
'high_value_targets': 'Dozens of specific users '
'(targeted attack)'},
'investigation_status': 'Ongoing (WhatsApp and Amnesty International '
'collaboration)',
'lessons_learned': ['Zero-click exploits pose severe risks even to fully '
'patched systems when chained with other vulnerabilities.',
'Cross-platform vulnerabilities (e.g., Apple Image I/O) '
'can amplify attack surfaces for apps like WhatsApp.',
'Proactive user notification and clear mitigation steps '
'are critical for limiting damage from targeted attacks.'],
'post_incident_analysis': {'corrective_actions': ['Apple: Tightened memory '
'bounds checking in Image '
'I/O framework.',
'WhatsApp: Patched '
'synchronization message '
'authorization and updated '
'client apps.',
'User guidance: Factory '
'reset and update '
'enforcement.'],
'root_causes': ['Insufficient bounds checking in '
'Apple Image I/O framework '
'(CVE-2025-43300).',
'Incomplete authorization for '
'WhatsApp linked device '
'synchronization (CVE-2025-55177).',
'Exploit chaining enabled '
'zero-click compromise without '
'user interaction.']},
'recommendations': ['Immediately update WhatsApp and device OS to the latest '
'versions.',
'Perform a factory reset if notified by WhatsApp of '
'potential compromise.',
'Enable advanced security features (e.g., Google Advanced '
'Protection for Android).',
'Use mobile security solutions (e.g., Malwarebytes) for '
'additional protection.',
'Monitor for unusual device behavior (e.g., battery '
'drain, data usage spikes).',
'Organizations should audit third-party app dependencies '
'(e.g., Image I/O framework) for shared vulnerabilities.'],
'references': [{'source': 'WhatsApp Security Advisory'},
{'source': 'Apple Security Update (CVE-2025-43300)'},
{'source': 'Amnesty International Security Lab'},
{'source': 'Malwarebytes Blog (Mitigation Guidance)'}],
'response': {'communication_strategy': ['Direct notifications to affected '
'users',
'Public advisory via blog/press',
'Collaboration with Amnesty '
'International for technical details'],
'containment_measures': ['WhatsApp server-side patches to block '
'exploit',
'User notifications with mitigation '
'steps'],
'incident_response_plan_activated': True,
'recovery_measures': ['Device updates (OS and WhatsApp)',
'Security feature enablement (e.g., Google '
'Advanced Protection for Android)'],
'remediation_measures': ['WhatsApp app updates (iOS '
'v2.25.21.73+, Mac v2.25.21.78+)',
'Apple security updates for Image I/O '
'framework',
'Factory reset recommendation for '
'affected users'],
'third_party_assistance': ['Amnesty International Security Lab '
'(investigation)']},
'stakeholder_advisories': ['Direct notifications to affected users with '
'factory reset instructions.',
'Public guidance on updating devices and apps.'],
'title': 'WhatsApp Zero-Click Exploit Chain Targeting iOS and Android Users '
'via Malicious Messages',
'type': ['Zero-click exploit',
'Remote code execution (RCE)',
'Memory corruption',
'Unauthorized synchronization'],
'vulnerability_exploited': [{'affected_components': ['Image I/O framework '
'(macOS/iOS)',
'Apps using image '
'processing (e.g., '
'WhatsApp)'],
'cve_id': 'CVE-2025-43300',
'description': 'Out-of-bounds write in Apple '
'Image I/O framework (iOS/macOS), '
'enabling memory corruption and '
'arbitrary code execution via '
'malicious image files.',
'severity': 'Critical'},
{'affected_components': ['WhatsApp for iOS (prior '
'to v2.25.21.73)',
'WhatsApp Business for '
'iOS (prior to '
'v2.25.21.78)',
'WhatsApp for Mac (prior '
'to v2.25.21.78)'],
'cve_id': 'CVE-2025-55177',
'description': 'Incomplete authorization of '
'linked device synchronization '
'messages in WhatsApp, allowing '
'arbitrary URL processing on '
'target devices.',
'severity': 'High'}]}