How to fix CVE-2025-55177?

Within 24 hours: Identify affected systems running WhatsApp for iOS and apply vendor patches immediately. Monitor vendor channels for patch availability.

Is Whatsapp affected by CVE-2025-55177?

Organizations using WhatsApp for iOS should be aware of moderate risk from CVE-2025-55177, a incorrect authorization vulnerability rated CVSS 5.4. Attackers could gain access beyond their authorized level. This vulnerability is actively exploited in the wild (KEV-listed).

CVE-2025-55177

MEDIUM

2025-08-29 [email protected]

5.4

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 19:09 vuln.today

Added to CISA KEV

Oct 24, 2025 - 14:14 cisa

CISA KEV

CVE Published

Aug 29, 2025 - 16:15 nvd

MEDIUM 5.4

Description

Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users.

Analysis

Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Actively exploited in the wild (cisa kev) and no vendor patch available.

Technical Context

This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users. Affected products include: Whatsapp, Whatsapp Whatsapp Business.

Affected Products

Whatsapp, Whatsapp Whatsapp Business.

Remediation

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.

Priority Score

Low Medium High Critical

KEV: +50

EPSS: +0.8

CVSS: +27

POC: 0

CVE-2025-55177 vulnerability details – vuln.today

Back

CVE-2025-55177

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-55177

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code