A newly discovered zero-click remote code execution (RCE) vulnerability in WhatsApp is putting millions of Apple users at risk.
Researchers from DarkNavyOrg have demonstrated a proof-of-concept (PoC) exploit that leverages two distinct flaws to compromise iOS, macOS, and iPadOS devices without any user interaction.
The attack chain begins with CVE-2025-55177, a critical logic error in WhatsApp’s message handling.
According to DarkNavyOrg, WhatsApp fails to validate whether an incoming message truly originates from a linked device.
This missing check allows an attacker to craft messages that appear to come from a user’s own trusted account. As soon as WhatsApp processes the spoofed message, the malicious payload is delivered seamlessly.
Once the malicious message bypasses initial security filters, the exploit triggers CVE-2025-43300, a severe flaw in WhatsApp’s DNG image parsing library. The attacker embeds a malformed DNG (Digital Negative) image into the message.
When WhatsApp automatically processes the image, the corrupted DNG causes a memory corruption error. This error flows into remote code execution, granting the attacker full control over the target device.
DarkNavyOrg’s PoC automates the entire process. A script logs into WhatsApp, generates the malformed DNG image, and sends it to the victim’s phone number.
The attack executes silently: the recipient never sees a notification, message preview, or any indication of compromise. As a result, the device becomes fully controlled by the attacker without any visible signs.
The potential impact of this zero-click RCE is severe. An attacker with full control of a targeted device can intercept messages, steal photos, record calls, and install additional malware.
Since the exploit works across Apple’s ecosystem, it affects iPhones, iPads, and Mac computers. The stealthy nature of the attack means even highly vigilant users could be compromised.
File parsing flaws are a familiar root cause for RCE vulnerabilities. Complex image formats like DNG often include multiple embedded metadata sections.
A single malformed tag can disrupt memory management, leading to exploitable conditions. Cross-platform messaging apps handle these file types automatically, creating a potent attack vector when validation checks are incomplete.
DarkNavyOrg continues to analyze related vulnerabilities, including a Samsung-specific flaw (CVE-2025-21043) that similarly exploits zero-click mechanics.
Meanwhile, WhatsApp and Apple have been notified of the two critical bugs. Users should update WhatsApp to the latest version and install the newest iOS, macOS, or iPadOS security patches as soon as they are released.
Until patches arrive, avoid opening suspicious messages or images, even from trusted contacts.
Although this attack requires no user interaction, limiting exposure to unexpected files can reduce risk.
Enterprises should review mobile security policies and consider additional monitoring for anomalous WhatsApp traffic.
The WhatsApp zero-click RCE demonstrates the ongoing challenges of securing automated file processing in messaging apps.
As attackers refine techniques to bypass user interaction, robust validation and rapid patch deployment remain the best defenses against silent and devastating exploits.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
