Pwn2Own Hackers Privately Report WhatsApp Zero-Click Vulnerability to Meta

During the Pwn2Own Ireland 2025 hacking competition, held in Cork from October 21 to 23, cybersecurity researchers from Team Z3 withdrew their planned demonstration of a zero-click remote code execution vulnerability in WhatsApp, opting instead to report it privately to Meta through a coordinated disclosure.​

The withdrawal surprised attendees and fellow competitors, as the exploit could have earned Team Z3 the largest single payout in Pwn2Own history with a record-breaking $1 million bounty.

This substantial reward reflected the critical nature of zero-click vulnerabilities in an application used by three billion people worldwide.​

Private Disclosure Chosen Over Public Demonstration

According to the Zero Day Initiative (ZDI), which organizes Pwn2Own, Team Z3 determined their research wasn’t ready for a live public demonstration.

Despite the withdrawal, ZDI emphasized the positive outcome of this decision, stating that their analysts would conduct initial assessments before transferring the findings to Meta’s engineering team.​

This approach ensures a structured response to the vulnerability while protecting WhatsApp’s massive user base from potential exploitation.

The private disclosure aligns with ethical hacking standards that prioritize user safety over public spectacle.

Meta, WhatsApp’s parent company and a co-sponsor of Pwn2Own Ireland alongside Synology and QNAP, expressed continued interest in Team Z3’s findings.

The company reaffirmed its commitment to strengthening WhatsApp’s defenses against sophisticated threats, particularly zero-click attacks that require no user interaction to compromise devices.​

Zero-click exploits represent the most dangerous category of vulnerabilities because victims cannot prevent infection through cautious behavior.

These attacks have previously been weaponized in spyware campaigns targeting journalists, activists, and government officials.​

ZDI’s coordinated disclosure process provides Meta with up to 90 days following the event to develop and deploy patches before any public revelation.

This timeframe allows vendors adequate opportunity to address vulnerabilities while maintaining transparency with the security community.​

No technical details about the vulnerability have been disclosed, including affected WhatsApp versions or CVE identifiers.

Security experts anticipate that Meta will address the flaw swiftly to prevent real-world exploitation.

While the WhatsApp demonstration didn’t proceed, Pwn2Own Ireland 2025 proved exceptionally successful overall.

Researchers identified 73 unique zero-day vulnerabilities across various devices, with organizers distributing a total of $1,024,750 in prizes.

Successful exploits targeted devices including the Samsung Galaxy S25, Philips Hue Bridge, various printers, and network-attached storage systems.​

Team Z3’s decision to prioritize responsible disclosure over a public demonstration underscores the cybersecurity community’s commitment to protecting users while advancing security research.

The industry now awaits Meta’s security advisory addressing this critical vulnerability.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today