CVE-2025-55177

Published: Aug 29, 2025Updated: Oct 24, 2025 Sources: CVE List NVD BDUCWE-863

NVD MITRE

5.4CVSSMEDIUM

EPSS Score

Description

Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.

CVSS Vector Breakdown

Exploitability

AV:NAttack Vector

Network

AC:LAttack Complexity

Low

PR:LPrivileges Required

Low

UI:NUser Interaction

None

Scope

S:UScope

Unchanged

Impact

C:LConfidentiality

Low

I:LIntegrity

Low

A:NAvailability

None

Open in CVSS calculator →

Weaknesses

CWE-863

Affected Products

WhatsApp Desktop for Mac Facebook Communications

WhatsApp Business for iOS Facebook Communications

WhatsApp for iOS Facebook Communications

whatsapp whatsapp

Mobile App

Communications / messaging-chat

whatsapp business whatsapp

SaaSMobile App

Communications / messaging-chat

facebookcommercialUSCommunicationsaka meta, facebook inc.

whatsappcommercialCommunicationsaka whatsapp business, whatsapp desktop

and 3 more affected products View all →

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

CISA Known Exploited Vulnerability

Added to KEV:Sep 2, 2025

Remediation due:Sep 23, 2025

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Official Patch Available