Cyber Resilience

CVE-2025-55177

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 29 August 2025

Published
29 August 2025
Modified
24 October 2025
KEV Added
02 September 2025
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS Score 0.0076 73.8th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-55177 is a medium-severity Incorrect Authorization (CWE-863) vulnerability in Whatsapp Whatsapp. Its CVSS base score is 5.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 26.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-55177 is an incomplete authorization vulnerability (CWE-863) in the handling of linked device synchronization messages within WhatsApp for iOS versions prior to v2.25.21.73, WhatsApp Business for iOS prior to v2.25.21.78, and WhatsApp for Mac prior to v2.25.21.78. This flaw enables an unrelated user to trigger the processing of content from an arbitrary URL on a target's device. The vulnerability carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, and requirements for low privileges.

An attacker with low privileges, such as an unrelated WhatsApp user, can exploit this issue over the network without user interaction to force the target's device to process malicious content from a remote URL. While standalone exploitation yields limited confidentiality and integrity impacts, the vulnerability's description notes that, when chained with an Apple OS-level flaw (CVE-2025-43300), it may enable sophisticated attacks targeting specific users.

Advisories from Meta's Facebook security page (https://www.facebook.com/security/advisories/cve-2025-55177), WhatsApp's 2025 security advisories (https://www.whatsapp.com/security/advisories/2025/), and CISA's Known Exploited Vulnerabilities catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55177) recommend updating to the patched versions (WhatsApp for iOS v2.25.21.73 or later, WhatsApp Business for iOS v2.25.21.78 or later, and WhatsApp for Mac v2.25.21.78 or later) as the primary mitigation.

This issue has been added to CISA's Known Exploited Vulnerabilities catalog, signaling active exploitation concerns, particularly in targeted attacks when combined with CVE-2025-43300.

EU & UK References

Vulnerability details

Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on…

more

a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.

CWE(s)
KEV Date Added
02 September 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

Vulnerability enables attacker-controlled arbitrary URL content processing on the victim client without interaction, directly facilitating client-side exploitation (T1203) and forced ingress of malicious payloads (T1105) when chained with OS-level flaws.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-54253Shared CWE-863both on KEV
CVE-2025-24200Shared CWE-863both on KEV
CVE-2024-23929Shared CWE-863
CVE-2026-27140Shared CWE-863
CVE-2026-42843Shared CWE-863
CVE-2025-21565Shared CWE-863
CVE-2026-28951Shared CWE-863
CVE-2026-44110Shared CWE-863
CVE-2026-46823Shared CWE-863
CVE-2026-42432Shared CWE-863

Affected Assets

whatsapp
whatsapp
2.22.25.2 — 2.25.21.73 · 2.22.25.2 — 2.25.21.78
whatsapp
whatsapp business
2.22.25.2 — 2.25.21.78

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of flaws like the incomplete authorization in WhatsApp linked device synchronization, directly enabling patching to the recommended versions.

prevent

Enforces approved authorizations for processing linked device synchronization messages, preventing unrelated users from triggering arbitrary URL content processing on target devices.

prevent

Validates incoming synchronization messages for proper authorization and content restrictions, mitigating unauthorized URL fetches even if authorization checks are incomplete.

References