CVE-2025-55177

Warnung

Medienbericht

EPSS 0.63%
Veröffentlicht 29.08.2025 15:50:28
Zuletzt bearbeitet 03.09.2025 14:03:49
Quelle cve-assign@fb.com
Teams Watchlist Login
Unerledigt Login

Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.

Betroffene Produkte Warnungen 1 Metriken 2 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

WhatsApp ≫ WhatsApp SwPlatformiphone_os Version >= 2.22.25.2 < 2.25.21.73

WhatsApp ≫ WhatsApp SwPlatformmacos Version >= 2.22.25.2 < 2.25.21.78

WhatsApp ≫ WhatsApp Business SwPlatformiphone_os Version >= 2.22.25.2 < 2.25.21.78

02.09.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Meta Platforms WhatsApp Incorrect Authorization Vulnerability

Schwachstelle

Meta Platforms WhatsApp contains an incorrect authorization vulnerability due to an incomplete authorization of linked device synchronization messages. This vulnerability could allow an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.63%	0.695

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cve-assign@fb.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://www.heise.de/news/Zero-Click-Angriff-auf-Apple-Geraete-via-WhatsApp-10626629.html

Medienbericht

heise Security

https://krebsonsecurity.com/2025/09/microsoft-patch-tuesday-september-2025-edition/

Medienbericht

Krebs on Security

https://www.whatsapp.com/security/advisories/2025/

Vendor Advisory

https://www.facebook.com/security/advisories/cve-2025-55177

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-55177

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-55177

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-55177

EUVD