CVE-2025-55177: WhatsApp for iOS

Lookout Coverage and Recommendation for Admins

To ensure your devices are protected, users should avoid opening image files from unknown or unsolicited sources, especially if using older OS versions. Lookout admins should ensure all users have updated WhatsApp and WhatsApp Business to the patched versions:

WhatsApp for iOS: v2.25.21.73 or later and WhatsApp Business for iOS: v2.25.21.78 or later
Use the app vulnerability policy to define tolerance for your compliance. Lookout will be releasing coverage for the versions mentioned on September 10, 2025.
Use the OS out-of-date policy to ensure that the device is not exposed to this and other vulnerabilities covered by the update.
For either or both of the policies, choose whether to immediately warn or block non-compliant devices from accessing work apps and data until their OS is updated.
If your risk policies allow for a grace period, set the policy to escalate in severity and limitation to the user for a short period of time that aligns with your policies.

Overview

CISA recently added guidance to CVE-2025-55177, a critical zero‑day vulnerability in WhatsApp that affects WhatsApp for iOS prior to version 2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78. This flaw involves an issue with the incomplete authorization of linked device synchronization messages in WhatsApp. This means a remote attacker could exploit the vulnerability to trigger the processing of content from an arbitrary URL on a device without any user interaction, such as clicking a link or opening a file.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its catalog of Known Exploited Vulnerabilities, indicating it has been actively exploited in the wild. Reports suggest it was used in highly sophisticated, targeted attacks, often in conjunction with another vulnerability, CVE-2025-43300, which affects the Apple ImageIO framework. This issue was fixed in iOS / iPadOS (current models) 18.6.2, iPadOS (older models) 17.7.10, and macOS Sequoia 15.6.1.

United States government organizations are required to have all vulnerable devices patched by September 23, 2025. While CISA’s requirement is only for US government organizations, their guidance should be a source of information for enterprise organizations, as well.

Lookout Analysis

Regardless of who builds software, it is rarely perfect. Apple has the advantage of building and maintaining both its hardware and software products, which reduces the variables that could lead to exploitable code. However, this doesn’t mean that Apple devices are impenetrable.

What’s most concerning about this vulnerability is that it doesn’t require the target to perform any action. Since mobile devices typically default to automatically process images in apps like Messages, Safari, or Mail, the end user could open the door for an attacker without ever knowing it.

Without visibility into vulnerable devices across your mobile fleet, your organization and its data could be exposed to threats like this. To feed data and more into your SIEM, SOAR, EDR, or XDR, be sure to integrate Lookout with those tools via the Mobile Intelligence APIs. You can learn how to set up those APIs in this interactive demo.

‍