Earlier this week, the Cybersecurity and Infrastructure Security Agency (CISA) warned that a new zero-day vulnerability had been discovered in Meta’s WhatsApp messaging service. The vulnerability, identified as CVE-2025-55177, followed the disclosure of a similar vulnerability in Apple’s operating systems.
CISA urged all entities using the messaging app to apply the security patches released by Meta platforms and to ensure that linked-device synchronization messages are permitted only from authenticated endpoints. CISA further advised against using WhatsApp until a secure version was deployed, while it called for organizations to monitor network traffic for unusual outbound HTTP requests originating from WhatsApp clients.
“Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device,” WhatsApp announced in a security advisory.
“We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.”
The Low-Hanging Fruit at Apple
The WhatsApp vulnerability may be exploited in conjunction with an OS-level vulnerability, thereby targeting Apple users.
“This is basically an example of where an application can be tampered with in such a way as to cause it to load content from another, ‘unvalidated,’ source of content. In the case of the image IO library, this is a vulnerability in image processing—e.g., when you receive a message and get a view of the image previewed as a small image in your chat,” explained Lawrence Pingree, technical evangelist at cybersecurity research firm Dispersive and former lead Gartner analyst.
“What makes vulns like this especially bad is that they allow people to send images to various users, and because the viewer automatically loads an image, if the image content has the exploit contained within it, then your device can become breached without any clicks or knowledge of the user,” Pingree told ClearanceJobs via an email. “Patching iOS devices and Apple products are just as important as Windows—even though Windows gets targeted immensely.”
Is WhatsApp Safe?
The news of this recent zero-day vulnerability comes as NCC Group published a security and privacy assessment of the WhatsApp Message Summarization Service. Facebook parent Meta Platforms has engaged NCC Group to conduct the evaluation, which was published last week.
“The review was performed remotely as a 115 person-day effort during the first half of 2025 by NCC Group’s Cryptography Services team, Hardware and Embedded Security team, and AI/ML Security team,” the report explained.
Among the key findings were that secret user data could be leaked, and that an old “Trusted Execution Environment” (TEE) image with known vulnerabilities could be reused indefinitely by an active attacker. A successful exploitation of the leading service would allow attackers to gain full access privileges to the running container. A successful exploitation of the Confidential Virtual Machine (CVM) could be used to exfiltrate data, but also provide attackers access to RA-TLS (remote attestation – transport layer security) private keys, which could allow the attacker to supplant the container.
However, the study also found that client-side enforcement ensured that no data could leave a device without user consent, and that Meta mitigated the risks by employing a layered defense model, while it also enforced runtime attestation of all critical components.
“The Message Summarization Service uses modern cryptographic protocols and hardware-based security features while striving to be verifiably transparent,” said Jared Samuel, vice president, NCC Group Cryptography Services.
Samuel told ClearanceJobs that users must trust Meta to not insert any malicious behavior into artifacts that are not open source, to tightly control access to artifact signing keys, and not to collude with Cloudflare or Fastly.
“Additionally, NCC Group encourages fully verifiable transparency, which requires open-source code and reproducible builds for all artifacts,” he added. “Overall, the WhatsApp Message Summarization Service has ambitious security and privacy targets; Meta has invested a significant amount of resources to achieve the leading edge of what is currently possible.”
