The U.S. Cybersecurity and Infrastructure Security Agency has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch them within 21 days and signaling an urgent alert for all organizations. The new additions, disclosed September 2, 2025, cover a missing authentication flaw in TP-Link TL-WA855RE Wi‑Fi extenders (CVE‑2020‑24363) and an incorrect authorization weakness in WhatsApp for Apple platforms (CVE‑2025‑55177). Both are being exploited in the wild—the first for device takeover on local networks, the second for zero‑click spyware delivery against high‑value targets.

KEV Catalog: A Mandatory Priority List

The KEV Catalog is a living list of CVEs with confirmed active exploitation. Under Binding Operational Directive 22‑01, federal civilian executive branch agencies must remediate cataloged vulnerabilities by their specified due date—September 23, 2025, for these two entries. Private sector organizations are strongly urged to follow suit, treating KEV additions as top vulnerability management priorities.

The pair illustrates two persistent threat vectors: legacy IoT devices with weak‑to‑no authentication, and messaging apps abused for sophisticated, no‑interaction espionage.

The Vulnerability

The TP‑Link TL‑WA855RE (V5 firmware) contains an unauthenticated TDDP_RESET POST endpoint. An attacker on the same local network can send a crafted request to trigger an immediate factory reset and reboot. Once the device reverts to defaults, the attacker can use default credentials or complete the unauthenticated setup wizard to set a new administrative password, seizing full control of the range extender.

Technical classification: CWE‑306 (Missing Authentication for a Critical Function). The flaw was first disclosed in 2020 but remains exploitable on unpatched or end‑of‑life devices.

Real‑World Exploitation Risk

Requiring network adjacency, the attack is feasible wherever weak segmentation exists—public Wi‑Fi, guest networks, poorly designed VLANs, or compromised home gateways. Deployed in branch offices, retail floors, and kiosks, these extenders often sit unmonitored and missing from asset inventories, making them ideal pivots for lateral movement.

Remediation and Mitigation

  • Patch: Apply vendor firmware if available for your hardware revision. Many affected units are end‑of‑life, so verify support status first.
  • Isolate or Replace: If patching isn’t possible, remove the device from production or place it on an isolated management VLAN with strict access controls.
  • Harden Management: Change default credentials, disable remote management, and restrict admin access to trusted subnets.
  • Monitor: Watch for unexpected reboots, factory resets, or new admin account creation via SIEM and DHCP logs.

CVE‑2025‑55177: WhatsApp Incorrect Authorization Zero‑Click Chain

The Flaw

An authorization logic bug in WhatsApp’s linked‑device synchronization mechanism allows an attacker to trigger processing of content fetched from an arbitrary URL on a target’s device. The core issue is insufficient validation of synchronization messages, enabling a malicious request that the app handles as if legitimate.

When combined with an Apple Image I/O out‑of‑bounds write (a memory corruption bug in the operating system), the chain achieves remote code execution with zero user interaction—a text message or synchronization notification silently compromises the device.

Targeted Espionage Campaign

Meta notified fewer than 200 users of potential compromise, and Amnesty International’s security lab reported the chain was used in a months‑long surveillance operation. Evidence points to selective targeting of high‑value individuals—journalists, activists, government figures—consistent with state‑sponsored spyware use. Public attribution remains unconfirmed, but the low‑volume, high‑impact pattern is a hallmark of mercenary surveillance vendors.

Affected Versions and Patching

Patched WhatsApp versions:
- WhatsApp for iOS: v2.25.21.73 and later
- WhatsApp Business for iOS: v2.25.21.78 and later
- WhatsApp for macOS: v2.25.21.78 and later

Immediate actions:
- Update WhatsApp clients without delay.
- Install the latest Apple OS security patches that fix the associated Image I/O vulnerability.
- For users who received compromise notifications or are at elevated risk, follow vendor guidance—potentially including a full factory reset and OS reinstallation.

Hardening and Monitoring

  • Review linked devices: In WhatsApp settings, revoke and re‑authorize only known devices. Enable two‑step verification.
  • Enable Lockdown Mode on iOS to reduce the attack surface for zero‑click exploits.
  • Monitor for anomalies: Look for unexpected linked device pairings, unusual outbound network connections, or anomalous image/media processing activity on endpoints.
  • EDR considerations: Pre‑exploitation indicators are minimal, but post‑compromise behavior—like persistence installation or data exfiltration—may be caught with robust endpoint detection.

Strategic Takeaways: Why These Two CVEs Stand Out

IoT Blind Spots Persist

The TP‑Link entry is a five‑year‑old bug still triggering active exploitation. It underscores a systemic weakness: organizations routinely lose track of consumer‑grade IoT devices that lack regular patching mechanisms or have reached end of life. Such devices become permanent footholds for attackers who can pivot to more sensitive systems.

Messaging Apps as Espionage Vectors

The WhatsApp incident confirms that even encrypted messengers can be turned into silent spyware delivery platforms through logic bugs. Zero‑click attacks bypass all traditional user‑based defenses (phishing, social engineering) and require defense‑in‑depth at the OS and application level.

KEV Deadlines Demand Operational Rigor

BOD 22‑01 mandates that federal agencies remediate by the KEV due date—in this case, September 23, 2025. For other organizations, the catalog provides a clear benchmark for prioritization. When patches aren’t possible (EoL hardware), the directive pushes for immediate network isolation or replacement, not prolonged waivers.

Practical Remediation Playbook

Security teams should translate these KEV additions into concrete, auditable steps:

  1. Asset Discovery: Scan networks for TP‑Link TL‑WA855RE devices and inventory WhatsApp client versions on all managed iOS and macOS devices.
  2. Patching Sprint: Apply firmware updates or app updates within 72 hours; create configuration baselines to enforce minimum versions.
  3. Compensating Controls: For unpatched hardware, shift to a hardened management VLAN with access control lists (ACLs) restricting traffic to admin hosts only. Disable WAN‑side management and UPnP.
  4. Detection Engineering: Deploy IDS/IPS signatures for the TDDP_RESET endpoint and integrate threat intelligence feeds tracking WhatsApp exploitation indicators.
  5. Incident Response Readiness: Pre‑stage device replacement or reimaging workflows. Confirm that forensic artifact collection procedures are documented for both IoT and mobile endpoints.
  6. KEV Integration: Automate ingestion of the KEV catalog into vulnerability management platforms (e.g., Tenable, Qualys, Rapid7) to auto‑generate high‑priority tickets.

Looking Ahead

CISA’s September 2 additions are not isolated anomalies; they mirror twin structural gaps: neglected IoT lifecycle management and invisible zero‑click chains targeting consumer apps. Organizations that treat the KEV catalog as operational gospel—tightening patch SLAs, retiring unsupported hardware, and applying layered defenses to mobile devices—will measurably reduce their exposure. The alternative is a fragmented security posture where every forgotten extender and unpatched messaging client becomes an open door for the next campaign.