CISA Alerts on WhatsApp 0-Day Vulnerability Actively Exploited in Attacks

Cybersecurity

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent notice regarding a newly identified zero-day vulnerability in WhatsApp, which is currently being exploited in active attacks.

The vulnerability, designated as CVE-2025-55177, presents a significant security risk to global users. It is particularly concerning because ransomware operators and cybercriminals may exploit the weakness in the device synchronization process.

On September 2, 2025, this vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. The agency emphasized the need for federal and critical infrastructure organizations to prioritize patching this issue by the September 23 deadline to mitigate potential attack exposure.

The flaw arises from an incorrect authorization check in WhatsApp’s linked device feature, which permits attackers to manipulate synchronization messages. This allows a victim’s device to process malicious content from arbitrary URLs.

This vulnerability could lead to significant risks, including data theft, malware installation, and espionage. Although not definitively linked to ransomware campaigns, the nature of the exploit makes it an attractive target for threat actors.

The advisory recommends that organizations adhere to Meta Platforms’ mitigation instructions or discontinue the use of vulnerable versions of WhatsApp if such instructions are unavailable.

Technical Details

The vulnerability corresponds to CWE-863, which involves incorrect authorization due to incomplete verification of access permissions for users or processes. Attackers can exploit WhatsApp’s cross-device synchronization to create malicious linkage updates that bypass existing security checks.

Security experts warn that exploitation of this flaw may occur without victim interaction in some scenarios, increasing the risk of silent compromise. Threat actors could use this vulnerability for phishing campaigns or secondary payload delivery once access is achieved.

Meta Platforms has been urged to release immediate patches. In the interim, organizations and individuals are advised to:

• Update WhatsApp to the latest version once a patch is available.
• Monitor devices for unusual synchronization requests or network activity.
• Follow CISA’s Binding Operational Directive (BOD) 22-01 for mitigating vulnerabilities in cloud services.
• Consider disabling WhatsApp’s linked device functionality in high-risk environments temporarily.

CISA’s inclusion of CVE-2025-55177 in its KEV catalog underscores the need for immediate action to address the threat. With confirmed exploitation in ongoing attacks, swift remediation is essential to prevent widespread compromise.