CVE-2025-55177
Published: 29 August 2025
Summary
CVE-2025-55177 is a medium-severity Incorrect Authorization (CWE-863) vulnerability in Whatsapp Whatsapp. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 26.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-55177 is an incomplete authorization vulnerability (CWE-863) in the handling of linked device synchronization messages within WhatsApp for iOS versions prior to v2.25.21.73, WhatsApp Business for iOS prior to v2.25.21.78, and WhatsApp for Mac prior to v2.25.21.78. This flaw enables an unrelated user to trigger the processing of content from an arbitrary URL on a target's device. The vulnerability carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N), indicating medium severity with network accessibility, low attack complexity, and requirements for low privileges.
An attacker with low privileges, such as an unrelated WhatsApp user, can exploit this issue over the network without user interaction to force the target's device to process malicious content from a remote URL. While standalone exploitation yields limited confidentiality and integrity impacts, the vulnerability's description notes that, when chained with an Apple OS-level flaw (CVE-2025-43300), it may enable sophisticated attacks targeting specific users.
Advisories from Meta's Facebook security page (https://www.facebook.com/security/advisories/cve-2025-55177), WhatsApp's 2025 security advisories (https://www.whatsapp.com/security/advisories/2025/), and CISA's Known Exploited Vulnerabilities catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-55177) recommend updating to the patched versions (WhatsApp for iOS v2.25.21.73 or later, WhatsApp Business for iOS v2.25.21.78 or later, and WhatsApp for Mac v2.25.21.78 or later) as the primary mitigation.
This issue has been added to CISA's Known Exploited Vulnerabilities catalog, signaling active exploitation concerns, particularly in targeted attacks when combined with CVE-2025-43300.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-26214
Vulnerability details
Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on…
more
a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.
- CWE(s)
- KEV Date Added
- 02 September 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables attacker-controlled arbitrary URL content processing on the victim client without interaction, directly facilitating client-side exploitation (T1203) and forced ingress of malicious payloads (T1105) when chained with OS-level flaws.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of flaws like the incomplete authorization in WhatsApp linked device synchronization, directly enabling patching to the recommended versions.
Enforces approved authorizations for processing linked device synchronization messages, preventing unrelated users from triggering arbitrary URL content processing on target devices.
Validates incoming synchronization messages for proper authorization and content restrictions, mitigating unauthorized URL fetches even if authorization checks are incomplete.