India’s Computer Emergency Response Team (CERT-In) has issued a high-risk security advisory for WhatsApp users. The vulnerability, if exploited, could allow attackers to bypass authorisation measures and gain access to sensitive user data. The warning covers both iOS and macOS versions of the widely used messaging platform.

Flaw in linked device handling According to CERT-In’s vulnerability note (CIVN-2025-0200), the flaw originates from the improper handling of synchronised messages across linked devices. By exploiting this weakness, a remote attacker could trick a device into processing malicious requests from arbitrary URLs. Such manipulation could expose private conversations or other confidential details without the user’s knowledge.

The advisory specifies that WhatsApp for iOS versions prior to 2.25.21.73, WhatsApp Business for iOS versions prior to 2.25.21.78, and WhatsApp for Mac versions before 2.25.21.78 are impacted. Users of these versions are considered at high risk and are urged to upgrade immediately.

Risk of combined exploits CERT-In further explained that this flaw has been observed in some cases in combination with an Apple platform vulnerability known as CVE-2025-43300. When combined, the two weaknesses could be used to launch targeted attacks. Cybersecurity experts caution that such a combination increases the potential severity, giving attackers multiple avenues to gain control of user data.

The discovery underscores the increasing challenges of securing popular communication apps that are widely adopted by both individuals and businesses. With WhatsApp being one of the most used instant messaging platforms in India, the potential impact of this flaw is significant.

Steps to stay safe CERT-In has outlined steps that users should follow to protect themselves from this vulnerability. The first and most important action is to update WhatsApp to the latest version immediately. Updates often contain security patches that close known loopholes and make it harder for attackers to exploit vulnerabilities.

Additionally, users are advised to avoid clicking on suspicious links or opening unexpected messages until they are certain their app is fully updated and patched. Such vigilance is necessary since malicious actors often disguise harmful content as harmless communication.

Meta, the parent company of WhatsApp, has not issued a public statement at the time of writing. However, the company generally responds quickly to such issues with software updates to minimise risks.

This advisory highlights the wider issue of vulnerabilities within widely used messaging platforms. For users, it is a reminder that security updates should not be ignored, as delaying them can leave devices exposed to potential threats. For organisations, it demonstrates the need for proactive monitoring of official advisories and timely implementation of security fixes across devices used by employees.