Week 36 – WhatsApp Zero-Click Flaw Targets Apple Devices

1-7 Sept 2025

Even the most trusted apps on the most secure devices can become entry points for attackers — as shown by a newly exploited WhatsApp flaw on Apple platforms.

Desktops and servers in an enterprise environment are often tightly controlled and monitored to mitigate cybersecurity risks. EDR software, log collection and patch management techniques are applied, ensuring continuous security of these devices.

Mobile devices, however, are often overlooked by IT teams. They are generally deemed more secure because of supervised marketplaces, closed ecosystem and strong sandboxing capabilities. While these are powerful defenses, sometimes even these walls can be breached.

To show an example, this CVE of the Week post presents a WhatsApp vulnerability targeting Apple platforms. Tagged as CVE-2025-55177, the flaw stems from incomplete authorization in the linked device synchronization feature, allowing a completely unrelated user to make the victim’s device process arbitrary data from a URL.

A zero-click attack like this is bad enough by itself, but according to Meta’s security advisory it is possible to chain this with another CVE (2025-43300) and achieve OS-level control of Apple devices. Meta also added that this vulnerability has been used in targeted, sophisticated attacks, hence the CVE has made its way into the Known Exploited Vulnerabilities hall of fame.

We recommend updating the affected apps as soon as possible, especially if used by highly targeted individuals like reporters, whistleblowers or C-level managers.

Official Meta advisory: https://www.whatsapp.com/security/advisories/2025?lang=en_US
NIST entry: https://nvd.nist.gov/vuln/detail/CVE-2025-55177
CISA KEV record: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-5517

White Hat IT Security is a Europe-based Managed Security Services Provider (MSSP) and proud Microsoft Solution Partner. Its Microsoft-verified managed security solutions (MXDR) reflect their deep expertise and commitment to excellence in cybersecurity. The company was awarded the Partner of the Year Hungary Award by Microsoft in 2024.

With the largest incident response capacity in the CEE region, they’re trusted by organizations to deliver fast, effective, and proactive protection. Their portfolio includes penetration testing, vulnerability assessments, managed Cyber Threat Intelligence, as well as Governance, Risk and Compliance (GRC) consulting and specialized security training.

They are committed to supporting professional initiatives that aim to raise cybersecurity awareness and maturity—both for individuals and organizations. They regularly contribute to the community through knowledge sharing, education, and outreach, helping to build a safer digital future for all.