A newly disclosed zero-click remote code execution (RCE) vulnerability in WhatsApp is being actively exploited against Apple’s iOS, macOS, and iPadOS platforms.
The flaw, demonstrated in a proof-of-concept by DarkNavyOrg researchers, leverages two distinct vulnerabilities—CVE-2025-55177 and CVE-2025-43300—to silently compromise devices without any user interaction.
Victims receive a malicious DNG image file via WhatsApp and, upon automatic parsing, suffer complete device takeover.
Dual-Stage Attack Chain
The exploitation begins with CVE-2025-55177, a critical logic flaw in WhatsApp’s message-handling logic.
In its default implementation, WhatsApp fails to verify that an incoming message truly originates from a legitimate linked device.
By spoofing the message source, an attacker bypasses initial security checks and injects a crafted DNG file payload into the victim’s chat history.
Because WhatsApp processes messages automatically, even before the user views them, the payload is delivered without alerting the victim.
Once delivered, the malformed DNG payload triggers the second flaw, CVE-2025-43300.
This vulnerability resides in the DNG file parsing library, where improper bounds checking leads to a memory corruption error.
When WhatsApp’s media processing engine attempts to parse the malformed DNG structure, it overwrites critical memory regions, enabling an attacker to hijack execution flow and execute arbitrary code on the target device.
Proof-of-Concept Demonstration
DarkNavyOrg’s proof-of-concept script automates the entire attack chain.
It logs into a WhatsApp account, generates a malicious DNG image with the necessary malformed headers, and sends the payload to the victim’s phone number.
From the attacker’s perspective, the exploit completes instantly once the message is delivered—no clicking, previewing, or even opening the chat is required.
The victim’s device processes the malicious DNG file in the background, executes the RCE payload, and grants the attacker full control.
Successful exploitation results in complete device compromise.
Attackers can:
- Exfiltrate personal data, including messages, contacts, photos, and credentials
- Intercept live audio and video streams from the camera and microphone
- Install persistent backdoors or malware for long-term access
- Manipulate system settings, disable security features, or remove evidence of compromise
The stealthy nature of this zero-click attack makes detection extremely difficult.
Victims have no opportunity to inspect or block the malicious payload before execution, and standard endpoint protections may not flag the malformed DNG file as malicious.
WhatsApp and Apple have both acknowledged the vulnerabilities and are preparing patches.
Users are urged to:
- Update WhatsApp immediately once the version containing the fix is released.
- Keep iOS, macOS, and iPadOS up to date to receive any underlying security library updates.
- Monitor official WhatsApp security advisories and Apple security bulletins for remediation timelines.
Until patches are widely deployed, exercise heightened caution when receiving unsolicited multimedia messages, even from known contacts.
Organizations should also consider deploying network-level content inspection to detect anomalous DNG files.
DarkNavyOrg continues to investigate related zero-click exploits. The group has hinted at a Samsung-related vulnerability (CVE-2025-21043) under analysis.
This sequence of discoveries underscores the persistent challenge of securing complex file parsers in cross-platform messaging applications, where even trusted formats like DNG can become attack vectors.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The flaw, demonstrated in a proof-of-concept by DarkNavyOrg researchers, leverages two distinct vulnerabilities, CVE-2025-55177 and CVE-2025-43300){kind=link}