A chained zero‑click vulnerability affecting WhatsApp and Apple’s image processing permitted an attacker to send a specially crafted DNG (Digital Negative) file that remotely executes code on target devices with no user interaction. This is most concerning as stealth and power make a zero‑click remote exploit especially dangerous to high‑value targets. This is also caused by a hybrid design flaw (logic/authorization bug) within WhatsApp on the linked devices under integrated control. In addition, a memory‑corruption bug occurring under DNG parsing is a perfect storm. Follow guidance and treat mobile devices as first‑class security assets.
What happened
Security researchers were able to chain two previously reported issues: CVE‑2025‑55177 (a WhatsApp linked‑device validation logic bug) and CVE‑2025‑43300 (a DNG/image parser memory corruption). A user can send a malformed DNG through WhatsApp, and under the linked devices control flaw the targeted device will automatically parse that file and trigger an out‑of‑bounds write along with arbitrary code execution with no user actions. Targeted surveillance is likely the most common exploitation of this vulnerability.
Why this is especially dangerous
- Zero‑click: the absence of any user action is the most concerning as clicking, opening, or consenting is completely bypassed.
- Chained: the exploit crosses app/OS boundaries and remediation will require coordinated patches from multiple vendors.
- Stealthy persistence: the more advanced an exploit, the more likely it can persist and exfiltrate data, steal credentials, and install remote implants that are hard to detect.
Who is at risk?
When researcher write-ups and vendor advisories highlighted risk to users of iOS, iPadOS, and macOS, they noted this because of the potential handling of the impacted DNG files and messages. Any system that handles DNG files or processes affected messages might be at risk in the same message chains. High-profile users, including journalists and dissidents, and enterprise mobile fleets, are at the highest risk.
What to do, and do first?
Update your system and the WhatsApp application first. Apple as well as vendors issue updates that block exploited pathways.
Disable automatic media parsing. DNG files are uncommon and they should be blocked from unknown users.
Unlink any unknown devices that are connected to your WhatsApp account. Remove any unknown linked devices and reset authentications for trusted devices to unlink them.
If targeted and as a last resort, consider a full device reset. Vendor instructions must be followed as this will be the only option to reclaim a compromised device after all aggressive tenant controls, esp the thick client/mobile devices.
Operational controls & hardening
- Enforce MDM policies. They should include restricted app versions and automatic updates for corporate devices and setting of install permissions.
- Network Filtering should include DNG files to be blocked or sandboxed. They should be inspected in secure sandboxes prior to delivery to the endpoints.
- EDR & XDR monitoring: Implement and adjust macOS/iOS EDR/XDR solutions to monitor unusual process activity, persistence attempts, and exfiltration.
- Incident playbook: Include mobile compromise scenarios in IR plans: containment, forensic imaging, token rotation, and steps around user communication.
Detection ideas, tools, and approaches (defensive, non‑exploit)
Below are practical, defensive tools and example detection approaches available to you.
Tools to consider:
- Mobile/endpoint: Microsoft Defender for Endpoint (does support mobile), CrowdStrike Falcon, SentinelOne, Lookout Mobile Endpoint Security.
- Network / sandboxing: Zeek (formerly Bro), Suricata, Palo Alto WildFire, Cisco Talos, XDR-type services from Reuters for managed detection.
- Forensics / analysis: Cellebrite (for enterprise forensics), Magnet AXIOM, and commercial mobile forensics suites (use cautiously and legitimately).
Detection signals
- Unusual logs showing use of WhatsApp Web/ linked devices.
- Transfers of large or unusual incoming media from quiet accounts.
- MacOS/iOS endpoints exhibiting new or anomalous processes, launch agents, or persistence entries.
Connections to suspicious domains made after media receipt.
Example SIEM query (conceptual)
Look for repeated “linked device” events + large incoming media in X minutes (translate to your SIEM syntax; avoid publishing vendor‑specific exploit payload indicators).
Indicators & CVEs (reference)
- CVE‑2025‑55177 — WhatsApp linked‑device logic/authorization issue.
- CVE‑2025‑43300 — Memory‑corruption in DNG/image parsing used as RCE vector.
(Avoid seeking or sharing exploited PoCs or weaponized payloads. Use threat intel feeds from reputable providers to pull safe IOCs.)
Longer-term suggestions
- Vendor accountability: Prompt vendors to reinforce parser security, embrace memory-safe programming, or implement more aggressive fuzzing/sanitization techniques for complex file formats.
- Defensive layering: Integrate application hardening, operating system patching, network controls, and modifications in user behavior as coordinated actions to create more immutable layers.
- Threat hunting frequency: Conduct media file parsing and MDM enforcement policy anomaly hunts and re-tests to identify enforcement policy adherence gaps and missing policies.
You May Also Like: https://www.hackersking.in/2025/09/Breach-Directory-Search-Over-16-Billion-Public-Leaked-Records.html
Conclusion
The 0-click DNG chain for WhatsApp is a case in point. Contemporary adversaries exploit complexity (file parsers + messaging features) to bypass human defenses. Mobile controls enforcement via MDM, patching, capable EDR/XDR deployment, and updated incident plans regarding mobile devices will ensure they are treated as fully managed security endpoints. Expect timely actionable coverage from HackersKing as zero-click exploit defenses must be immediate. Layered controls are mandatory to save lives and data in these scenarios.
