Overview

• WhatsApp’s CVE-2025-55177, an authorization bypass in linked device sync, could trigger processing of content from an arbitrary URL on a target device.
• The messaging-app bug was assessed to have been chained with Apple’s CVE-2025-43300 ImageIO vulnerability, which Apple says was used in an extremely sophisticated targeted attack.
• Meta confirmed it patched the WhatsApp flaw weeks ago and notified fewer than 200 potentially impacted users across its platforms.
• Amnesty International’s Security Lab described an advanced zero-click spyware campaign active for roughly 90 days since late May, targeting specific high-risk individuals.
• WhatsApp advised notified users to perform a full device factory reset and to install the latest OS and app updates, while attribution to a specific actor or vendor remains unconfirmed.