A critical zero-click remote code execution (RCE) vulnerability has been identified in WhatsApp, affecting Apple’s iOS, macOS, and iPadOS platforms. This exploit allows attackers to compromise devices without any user interaction by sending a specially crafted Digital Negative (DNG) image file.
Understanding the Exploit Chain
The attack leverages two distinct vulnerabilities:
1. CVE-2025-55177: This flaw resides in WhatsApp’s message handling logic. The application fails to validate that incoming messages originate from legitimate linked devices. This oversight enables attackers to send messages that appear to be from trusted sources, effectively bypassing initial security checks.
2. CVE-2025-43300: This vulnerability is found in the DNG file parsing library used by WhatsApp. By crafting a malicious DNG image, attackers can exploit this flaw to cause memory corruption, leading to remote code execution on the target device.
Proof of Concept Demonstration
Security researchers from DarkNavyOrg have demonstrated a proof-of-concept (PoC) exploit that automates the attack process. The PoC involves:
– Logging into WhatsApp.
– Generating a malformed DNG image.
– Sending the malicious payload to a target phone number.
This seamless execution allows for the silent compromise of targeted devices without any user interaction.
Implications for Users
The zero-click nature of this vulnerability poses a significant threat to WhatsApp users on Apple devices, including iPhones, Macs, and iPads. A successful exploit could grant attackers complete control over a device, enabling them to access sensitive data, monitor communications, and deploy additional malware. The stealthy execution means that devices can be compromised without any visible indicators, leaving users unaware of the intrusion.
Broader Context of Zero-Click Vulnerabilities
Zero-click vulnerabilities are particularly concerning because they do not require any action from the user, making them highly effective for targeted attacks. Over the past few years, there has been a troubling surge in the discovery and exploitation of such vulnerabilities:
– In May 2019, a WhatsApp zero-click vulnerability (CVE-2019-3568) allowed attackers to deliver Pegasus spyware to victims via malicious RTCP packets.
– In December 2020, Citizen Lab reported on the KISMET zero-click exploit, which abused iOS 13.5’s messaging components to infect devices with Pegasus.
– In September 2021, Citizen Lab disclosed the FORCEDENTRY zero-click exploit, which targeted a vulnerability (CVE-2021-30860) in Apple’s image rendering library.
– In April 2023, Apple patched a zero-click vulnerability (CVE-2023-28205) in iOS that may have been actively exploited.
– In June 2023, Kaspersky disclosed the Operation Triangulation campaign, which exploited six zero-day vulnerabilities, including one that could write to unknown hardware registers.
The number of disclosed zero-click exploits has skyrocketed, from just three in 2019-2022 to six in the first two quarters of 2023 alone. This trend underscores the increasing sophistication of attackers and the critical need for robust security measures.
Recommendations for Users
Given the severity of this vulnerability, WhatsApp users are strongly advised to:
– Update Applications and Operating Systems: Ensure that WhatsApp and the device’s operating system are updated to the latest versions to receive security patches promptly.
– Be Cautious with Unsolicited Media: Avoid opening media files from unknown or untrusted sources, even if they appear to come from known contacts.
– Monitor Device Behavior: Stay vigilant for any unusual device behavior, such as unexpected battery drain, overheating, or unexplained data usage, which could indicate a compromise.
Industry Response
Both WhatsApp and Apple are expected to address these critical vulnerabilities in upcoming security updates. Users should apply these updates as soon as they become available to protect their devices from potential exploitation.
Conclusion
The discovery of this zero-click vulnerability in WhatsApp highlights the ongoing security challenges associated with complex file formats and cross-platform messaging applications. Users must remain proactive in updating their software and exercising caution with unsolicited media to mitigate the risks posed by such sophisticated attacks.
