WhatsApp 0-click remote code execution (RCE) vulnerability affecting Apple’s iOS, macOS, and iPadOS platforms, detailed with a proof of concept demonstration.
The attack chain exploits two distinct vulnerabilities, identified as CVE-2025-55177 and CVE-2025-43300, to compromise a target device without requiring user interaction.
The exploit, demonstrated in a proof-of-concept (PoC) shared by the DarkNavyOrg researchers, is initiated by sending a specially crafted malicious (DNG) image file to a victim’s WhatsApp account.
As a “zero-click” attack, the vulnerability is triggered automatically upon receipt of the malicious message, making it particularly dangerous as victims have no opportunity to prevent the compromise.
0-click Attack PoC WhatsApp
WhatsApp 0-Click Vulnerability Exploit Chain
The attack’s entry point is CVE-2025-55177, a critical logic flaw within WhatsApp’s handling of messages.
According to DarkNavyOrg, the vulnerability stems from a missing validation check to confirm that an incoming message originates from a legitimate linked device.
This oversight allows an attacker to send a message that appears to be from a trusted source, bypassing initial security checks and delivering the malicious payload.
We triggered WhatsApp 0-click on iOS/macOS/iPadOS.
CVE-2025-55177 arises from missing validation that the [Redacted] message originates from a linked device, enabling specially crafted DNG parsing that triggers CVE-2025-43300.
Analysis of Samsung CVE-2025-21043 is also ongoing. pic.twitter.com/idwZXqh5WK— DARKNAVY (@DarkNavyOrg) September 28, 2025
Once the message is delivered, the second vulnerability, CVE-2025-43300, is triggered. This flaw resides in the application’s DNG file parsing library.
The attacker crafts a malformed DNG image that, when processed by WhatsApp, causes a memory corruption error, leading to remote code execution.
The proof-of-concept shared by the researchers shows a script that automates the process: logging into WhatsApp, generating the malformed DNG, and sending the payload to a target phone number. This combination allows for a seamless and silent compromise of the targeted device.
This zero-click RCE vulnerability poses a severe threat to users of WhatsApp on multiple Apple devices, including iPhones, Mac computers, and iPads.
A successful exploit could grant an attacker complete control over a device, enabling them to access sensitive data, monitor communications, and deploy further malware. The stealthy nature of the attack means a device could be compromised without any visible indicators.
The discovery highlights the ongoing security challenges associated with complex file formats and cross-platform messaging applications. Flaws in file parsers have historically been a common vector for RCE exploits, as they process untrusted external data.
DarkNavyOrg has indicated that its analysis is ongoing, including a separate investigation into a Samsung-related vulnerability (CVE-2025-21043).
For now, WhatsApp users are advised to ensure their applications and operating systems are always updated to the latest versions to receive security patches as soon as they become available. Both WhatsApp and Apple are expected to address these critical vulnerabilities in upcoming security updates.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
Source: cybersecuritynews.com