New Zero-Click Exploit Chain Targeting WhatsApp on iOS 16
A sophisticated new zero-click exploit chain has been identified targeting iPhone users running iOS 16, enabling threat actors to hijack WhatsApp accounts without requiring any user interaction. Unlike traditional phishing, this attack bypasses standard security warnings, avoids triggering “Linked Device” notifications, and requires no interaction with suspicious links or QR codes.
The campaign was first brought to light by the Italian digital forensics firm Forenser. The firm began investigating after a surge of reports from users whose WhatsApp accounts were being used to solicit fraudulent wire transfers from recent contacts—even though the victims had not shared verification codes or authorized new sessions.
The Forensic Fingerprint: Ghost Sessions and Log Anomalies
A defining characteristic of this attack is its invisibility within the WhatsApp application interface. When victims inspected their “Linked Devices” settings, no unauthorized sessions were listed. This discrepancy suggests the attacker is not using the standard WhatsApp Web or Desktop protocols, but is instead operating through a more deeply integrated session hijack.
Through detailed forensic analysis of iOS unified logs and sysdiagnose data, researchers identified a highly specific pattern: a continuous loop of “resync” events. These logs indicate that the WhatsApp application was repeatedly renegotiating its session with the WhatsApp backend servers. Technically, this pattern points to a “session tug-of-war,” where the legitimate device and the attacker’s rogue client are simultaneously contending for control of the same cryptographic session, both attempting to stay active without fully de-authenticating the other.
Interestingly, the attackers appear to limit their visibility to recent chat histories. By focusing on contemporary threads, they can craft highly convincing fraudulent payment requests based on the immediate context of recent conversations, while leaving older or archived chats untouched.
The Exploit Chain: CVE-2025-43300 and CVE-2025-55177
The compromise relies on a multi-stage exploit chain that bridges a vulnerability in the underlying operating system with a flaw in the messaging application itself.
- Stage 1: Memory Corruption (CVE-2025-43300) – This is an out-of-bounds write vulnerability located within Apple’s ImageIO framework. An attacker can trigger memory corruption by forcing the device to process a specially crafted, malformed image file.
- Stage 2: Authorization Bypass (CVE-2025-55177) – Once the initial foothold is established, the attacker leverages a vulnerability in WhatsApp for iOS. This flaw involves insufficient authorization during the synchronization of linked-device messages, allowing the processing of malicious content from arbitrary URLs without user consent.
In lab reconstructions, researchers demonstrated that successful exploitation allows an attacker to extract the cryptographic material used during the WhatsApp session initiation handshake. This material is then reused to spin up a parallel, silent client that attaches to the victim’s account at a protocol level that bypasses the standard “Linked Devices” UI.
Mitigation and Defensive Posture
Because this is a zero-click attack, traditional “cyber hygiene” such as avoiding suspicious links is insufficient. The vulnerability exists at the framework and application level, making software updates the only definitive defense.
Immediate Actions for Users:
- Update iOS: Ensure your device is running a version higher than iOS 16.7.12 to patch the ImageIO vulnerability.
- Update WhatsApp: Ensure you are running WhatsApp for iOS version 2.25.21.73 or later.
- Session Eviction: If you suspect a compromise, reinstalling WhatsApp or migrating the account to a new device may help evict rogue sessions.
- Enable Chat Lock: Use WhatsApp’s built-in “Chat Lock” feature to add an extra layer of biometric/passcode protection to sensitive threads.
This incident marks a significant shift in the threat landscape. Zero-click capabilities, once the exclusive domain of high-resource state actors using tools like Pegasus, are being successfully weaponized by financial criminals to target the general public. As public CVE data and proof-of-concept research become more accessible, the barrier to entry for these sophisticated account-takeover operations continues to drop.