WhatsApp on Friday announced it patched a zero-day vulnerability it believes was used to launch sophisticated attacks against specific individuals.

The Meta-owned messaging platform said in a security advisory that the bug, labeled CVE-2025-55177, involves “incomplete authorization of linked device synchronization messages.”

The issue “could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target’s device,” the advisory says. 

WhatsApp believes the vulnerability could have been combined with a separate OS-level vulnerability on Apple devices (CVE-2025-43300) to potentially launch sophisticated attacks against “specific targeted users,” the advisory says.

Apple, which patched CVE-2025-43300 on August 20, has described it as an “out-of-bounds write issue.” 

The tech giant said it is “aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals.”

CVE-2025-43300 affected Apple’s iOS, iPadOS and macOS products.

No technical details were released by either company.

In 2019, WhatsApp was exploited with a zero-day attack carried out by the NSO Group, which manufactures the zero-click spyware known as Pegasus. That attack impacted some 1,400 Apple users and resulted in a court finding holding NSO Group liable. 

In January WhatsApp accused a separate spyware company, Paragon, of targeting about 90 of its users with spyware. Digital forensic experts from the Citizen Lab subsequently verified some of those attacks occurred.