WhatsApp Zero-Click Vulnerability Privately Reported to Meta During Pwn2Own Hacking Contest

At the recent Pwn2Own Ireland 2025 hacking competition, held from October 21 to 23 in Cork, cybersecurity researchers from Team Z3 opted to privately disclose a significant zero-click remote code execution (RCE) vulnerability in WhatsApp to Meta, the application’s parent company. This decision led to the withdrawal of their planned public demonstration, which had been highly anticipated due to the event’s unprecedented $1 million bounty for such an exploit.

The Significance of Zero-Click Vulnerabilities

Zero-click vulnerabilities are particularly alarming because they allow attackers to compromise devices without any user interaction. Unlike traditional exploits that require users to click on malicious links or download infected files, zero-click attacks can infiltrate systems silently, making them especially dangerous. In the context of WhatsApp, an application with over three billion users worldwide, the potential impact of such vulnerabilities is immense.

Team Z3’s Decision and Its Implications

Team Z3’s choice to withhold their demonstration was unexpected and led to disappointment among attendees and fellow competitors. Their exploit was poised to be the highlight of the contest, potentially earning them the largest single payout in Pwn2Own history. According to the Zero Day Initiative (ZDI), the event’s organizers, Team Z3 felt that their research was not yet ready for a live public display.

Despite the absence of the demonstration, ZDI emphasized the positive outcome of the private disclosure. Their analysts will conduct initial assessments before handing over the findings to Meta’s engineering team. This structured approach ensures a thorough and coordinated response to any validated flaws, aligning with ethical hacking norms that prioritize responsible disclosure over public spectacle.

Meta’s Response and Commitment to Security

Meta, which co-sponsored Pwn2Own Ireland alongside Synology and QNAP, expressed continued interest in Team Z3’s findings. The company underscored its commitment to enhancing WhatsApp’s defenses against sophisticated threats like zero-click attacks. These types of exploits have been weaponized in past spyware campaigns targeting high-profile individuals, highlighting the critical need for robust security measures.

The Evolving Landscape of Bug Bounties and Coordinated Disclosures

The incident at Pwn2Own Ireland highlights the evolving landscape of bug bounties and coordinated disclosures in cybersecurity. While the event ultimately awarded over $1 million for 73 unique zero-day vulnerabilities across various devices, the WhatsApp case serves as a reminder of the hidden risks in ubiquitous applications. The decision by Team Z3 to prioritize responsible disclosure over public demonstration reflects a growing trend in the cybersecurity community to balance the pursuit of recognition and financial rewards with the ethical responsibility to protect users.

Awaiting Meta’s Response

As of now, specific details about the vulnerability, such as the affected versions of WhatsApp or any assigned Common Vulnerabilities and Exposures (CVE) identifier, have not been disclosed. However, experts anticipate that Meta will address the issue swiftly to mitigate potential real-world exploitation. The cybersecurity community is closely watching for Meta’s response and any forthcoming patches in upcoming security advisories.

Conclusion

Team Z3’s decision to privately disclose the zero-click vulnerability to Meta underscores the importance of responsible vulnerability reporting. By choosing to prioritize user safety over public recognition, they have potentially averted widespread harm. This incident serves as a valuable case study in the delicate balance between public disclosure and coordinated vulnerability management, highlighting the ongoing challenges and responsibilities within the cybersecurity field.