Advisory 98: CVE-2025-55177- Meta Platforms WhatsApp incorrect Authorization Vulnerability
Release Date: 2nd of September 2025
Impact : HIGH / CRITICAL
TLP Rating: Clear 
CERT Vanuatu (CERTVU) and the Department of Communication and Digital Transformation (DCDT) provide the following advisory.
This alert is relevant to Organizations and individuals that utilize the above products. This alert is intended to be understood by technical users and systems administrators.
What is it?
CVE-2025-55177 is an incorrect authorization vulnerability in WhatsApp’s linked-device synchronization feature. This vulnerability can be very critical when chained with Apple ImageIO CVE-2025-43300. It was exploited in high severity spyware attacks.
What are the Systems affected?
Affected Versions;
- WhatsApp for iOS – version prior to 2.25.21.73.
- WhatsApp Business for iOS – version prior to 2.25.21.78
- WhatsApp for macOS – version prior to 2.25.21.78
What this means?
How attackers could exploit this vulnerability.
- The attacker sends a malicious crafted URL that is processed by WhatsApp linked-device sync.
- The flaw causes WhatsApp to handle the content improperly, bypassing normal authorization checks
- When chained with Apple’s CVE-2025-43300(an out of bounds write bug) it enabled zero-click spyware installation.
Mitigation process
CERT Vanuatu advises IT Personel/System Administrators and technical people to apply immediate remediation by;
- Update WhatsApp immediately
- iOS update to 2.25.21.73 or later
- iOS Business & Mac: update to 2.25.21.78 or later
- Enable two-factor verification in WhatsApp.
- Keep Apps and OS updated regularly as a security best practice
References
- Download advisory (English): Meta Platforms WhatsApp incorrect Authorization Vulnerability