CVE-2025-55177

Warning

Media report

EPSS 0.63%
Published 29.08.2025 15:50:28
Last modified 03.09.2025 14:03:49
Source cve-assign@fb.com
Teams watchlist Login
Open Login

Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.

Affected products Warnungen 1 Metrics 2 CWE 1 References 7

Data is provided by the National Vulnerability Database (NVD)

WhatsApp ≫ WhatsApp SwPlatformiphone_os Version >= 2.22.25.2 < 2.25.21.73

WhatsApp ≫ WhatsApp SwPlatformmacos Version >= 2.22.25.2 < 2.25.21.78

WhatsApp ≫ WhatsApp Business SwPlatformiphone_os Version >= 2.22.25.2 < 2.25.21.78

02.09.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog

Meta Platforms WhatsApp Incorrect Authorization Vulnerability

Vulnerability

Meta Platforms WhatsApp contains an incorrect authorization vulnerability due to an incomplete authorization of linked device synchronization messages. This vulnerability could allow an unrelated user to trigger processing of content from an arbitrary URL on a target’s device.

Description

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Required actions

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.63%	0.695

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
cve-assign@fb.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://www.heise.de/news/Zero-Click-Angriff-auf-Apple-Geraete-via-WhatsApp-10626629.html

Medienbericht

heise Security

https://krebsonsecurity.com/2025/09/microsoft-patch-tuesday-september-2025-edition/

Medienbericht

Krebs on Security

https://www.whatsapp.com/security/advisories/2025/

Vendor Advisory

https://www.facebook.com/security/advisories/cve-2025-55177

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-55177

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-55177

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-55177

EUVD