WhatsApp Zero-Click Exploit: What Happened and How to Stay Safe

Date: September 30, 2025

Author: Tanner Tobey

Overview

A newly discovered zero-click vulnerability in WhatsApp has sent shockwaves through the cybersecurity community. This exploit allows attackers to compromise devices without any user interaction—no clicks, no taps, no downloads. The attack targets Apple devices (iOS, macOS, iPadOS) and leverages two chained vulnerabilities:

CVE-2025-55177 – A logic flaw in WhatsApp’s message handling

CVE-2025-43300 – An out-of-bounds write vulnerability in Apple’s ImageIO framework

Together, these flaws enable remote code execution (RCE), giving attackers full control over the victim’s device. [WhatsApp 0...s DNG File]

How the Attack Works

Initial Exploit (CVE-2025-55177)

WhatsApp fails to validate whether an incoming message originates from a legitimate linked device. Attackers exploit this by sending a spoofed message that bypasses security checks.

Payload Delivery

The malicious message contains a crafted DNG (Digital Negative) image file. WhatsApp automatically processes this file in the background—no user action required.

Triggering RCE (CVE-2025-43300)

When WhatsApp parses the malformed DNG image, it triggers a memory corruption bug in Apple’s ImageIO framework, allowing attackers to execute arbitrary code.

Impact

Once compromised, attackers can:

Access messages and files

Activate cameras and microphones

Install spyware or additional malware

Monitor encrypted communications silently [0-Click Wh...DNG Image]

Who Was Targeted?

The attack appears to have been highly targeted, affecting fewer than 200 users globally, including journalists and human rights defenders. WhatsApp has sent threat notifications to those believed to be impacted. [Apple user...Meta fixed]

Mitigation Steps

Update WhatsApp Immediately

Install the latest version:

iOS: 2.25.21.73 or later

macOS: 2.25.21.78 or later

Apply Apple Security Updates

Ensure your device runs the latest OS patches (iOS 18.6.2, macOS Sequoia 15.6.1, etc.).

Enable Lockdown Mode (High-Risk Users)

Apple’s Lockdown Mode reduces attack surface by disabling risky features.

Monitor for Signs of Compromise

Watch for unusual battery drain, overheating, or unexpected data usage.

Factory Reset if Notified

WhatsApp recommends a full device reset for users who received a threat alert. [WhatsApp f...ck attacks], [What Users...ck Exploit]

Why This Matters

Zero-click exploits represent the most dangerous class of attacks because they require no user interaction. They exploit hidden flaws in widely used apps, making even the most cautious users vulnerable. This incident underscores the importance of timely updates and layered security measures.

Bottom Line

Update your apps and OS now. Enable automatic updates. For high-risk individuals, consider Lockdown Mode and advanced monitoring tools.

rule WHATSAPP_DNG_SUSPICIOUS_Heuristic

{

meta:

description = "Hunting rule: DNG/TIFF with DNG markers + odd traits (possible malformed payload)"

reference = "CVE-2025-55177, CVE-2025-43300"

author = "Tanner"

date = "2025-09-30"

confidence = "LOW_TO_MEDIUM"

notes = "Designed to surface DNGs for triage; expect false positives."

strings:

// TIFF headers (little/big endian)

$tiff_le = { 49 49 2A 00 }

$tiff_be = { 4D 4D 00 2A }

// Common textual markers sometimes present in DNG/XMP blocks

$s1 = "DNG" ascii nocase

$s2 = "DNGVersion" ascii nocase

$s3 = "Adobe" ascii nocase

$s4 = "Exif" ascii

$s5 = "<x:xmpmeta" ascii nocase

$s6 = "kCGImagePropertyDNGVersion" ascii // often appears in metadata/debug strings

// DNGVersion tag id (0xC612) in both endian forms—may appear in raw bytes around IFDs

$tag_le = { 12 C6 } // little endian tag id sequence

$tag_be = { C6 12 } // big endian tag id sequence

// Heuristic anomaly: long runs of 0x00 or 0xFF typical in crafted overlong fields

$pad1 = { 00 00 00 00 00 00 00 00 00 00 00 00 }

$pad2 = { FF FF FF FF FF FF FF FF FF FF FF FF }

condition:

// TIFF file and contains DNG/XMP hints

(any of ($tiff_*)) and (1 of ($s1,$s2,$s5,$s6) or 1 of ($tag_le,$tag_be)) and

// Size sanity: many PoCs keep payload small-ish; tune as needed for your telemetry

filesize < 8MB and

// Some hint of suspicious padding suggesting malformed blocks

( $pad1 or $pad2 )

}