What happened

The silent storm began when security researchers chained two previously reported issues: CVE-2025-55177, a WhatsApp linked-device validation logic bug, and CVE-2025-43300, a DNG/image parser memory corruption. This chaining of vulnerabilities allowed an attacker to send a specially crafted DNG (Digital Negative) file through WhatsApp, triggering a remote code execution on the target device with no user interaction required.

The chained vulnerabilities

The first vulnerability, CVE-2025-55177, exploited a logic bug in WhatsApp’s linked-device validation process. This bug allowed an attacker to bypass the validation checks, enabling them to send messages to a target device that would be processed without proper authorization. The second vulnerability, CVE-2025-43300, targeted the DNG image parser in Apple’s ecosystem, specifically in iOS, iPadOS, and macOS. This memory corruption bug allowed an attacker to execute arbitrary code by sending a malformed DNG file.

When these two vulnerabilities were chained together, the result was a powerful and stealthy exploit. An attacker could send a specially crafted DNG file through WhatsApp, and the target device would automatically parse the file, triggering the memory corruption bug and executing arbitrary code. This entire process occurred without any user interaction, making it a zero-click exploit.

The perfect storm

The combination of these two vulnerabilities created a perfect storm of risks. The linked-device validation logic bug allowed the attacker to bypass authorization checks, while the DNG image parser memory corruption bug enabled remote code execution. This chaining of vulnerabilities not only increased the exploit’s power but also made it more stealthy, as it required no user interaction.

Moreover, the exploit crossed app and OS boundaries, requiring coordinated patches from multiple vendors. This added complexity to the remediation process, as patches would need to be developed and deployed across different platforms and devices.

Why this is especially dangerous

The silent storm of the WhatsApp zero-click DNG exploit is particularly dangerous due to several key factors.

Zero-click execution

The absence of any user action is the most concerning aspect of this exploit. Unlike traditional exploits that require the user to click on a link or open an attachment, this exploit can execute code on the target device without any user interaction. This makes it particularly dangerous for high-value targets, such as journalists, dissidents, and other individuals who may be targeted for surveillance or espionage.

Chained vulnerabilities

The chaining of vulnerabilities across different platforms and devices adds to the exploit’s danger. This requires coordinated patches from multiple vendors, increasing the complexity and time required for remediation. Additionally, the exploit can persist and exfiltrate data, steal credentials, and install remote implants that are hard to detect.

Stealthy persistence

The more advanced an exploit, the more likely it can persist and remain undetected on the target device. This exploit’s ability to execute code without user interaction makes it particularly stealthy. Once executed, the exploit can remain on the device, allowing the attacker to maintain access and exfiltrate data over an extended period.

Who is at risk?

The silent storm of the WhatsApp zero-click DNG exploit poses a significant risk to a wide range of users. While the exploit primarily targets iOS, iPadOS, and macOS devices, any system that handles DNG files or processes affected messages might be at risk.

High-profile users

High-profile users, including journalists, dissidents, and other individuals who may be targeted for surveillance or espionage, are at the highest risk. The exploit’s stealthy nature and zero-click execution make it particularly dangerous for these individuals, as it allows attackers to gain access to their devices without their knowledge.

Enterprise mobile fleets

Enterprise mobile fleets are also at risk, as the exploit can affect multiple devices within an organization. The chaining of vulnerabilities and the requirement for coordinated patches add to the complexity of remediation, making it a significant concern for enterprises.

General users

While general users may not be the primary targets of this exploit, they are not entirely immune to risk. Any user who receives a DNG file through WhatsApp or processes affected messages might be at risk. It is essential for all users to be aware of the potential risks and take appropriate precautions to protect their devices.

Conclusion

The silent storm of the WhatsApp zero-click DNG exploit highlights the ongoing challenges in cybersecurity. The chaining of vulnerabilities, the absence of user interaction, and the stealthy nature of the exploit make it a significant concern for users across the board. As the digital landscape continues to evolve, it is essential for individuals, organizations, and vendors to work together to address these risks and protect against such exploits.

FAQ

What is a zero-click exploit?

A zero-click exploit is a type of cyberattack that can execute code on a target device without any user interaction. Unlike traditional exploits that require the user to click on a link or open an attachment, zero-click exploits can bypass these security measures and execute code automatically.

What is a DNG file?

A DNG file is a digital image file format developed by Adobe. It is designed to be a high-quality, lossless format that can be used for professional photography and other imaging applications. DNG files can contain metadata, such as camera settings and color profiles, which can be used to enhance the image.

How can I protect my device from this exploit?

To protect your device from the WhatsApp zero-click DNG exploit, follow these steps:

• Keep your device and software up to date with the latest patches and updates.
• Be cautious when opening attachments or clicking on links, especially from unknown or untrusted sources.
• Use a reputable antivirus or security software to scan your device for potential threats.
• Enable two-factor authentication to add an extra layer of security to your accounts.
• Be aware of phishing scams and other social engineering tactics that may attempt to trick you into revealing sensitive information.

What should I do if I suspect my device has been compromised?

If you suspect that your device has been compromised by the WhatsApp zero-click DNG exploit or any other cyberattack, follow these steps:

• Disconnect your device from the internet to prevent further data exfiltration or remote access.
• Use a reputable antivirus or security software to scan your device for potential threats and malware.
• Change your passwords and enable two-factor authentication to secure your accounts.
• Contact your device manufacturer or a professional IT support service to assist with the remediation process.
• Monitor your device for any unusual activity and report any suspicious behavior to your device manufacturer or a professional IT support service.

What can vendors and organizations do to address this exploit?

Vendors and organizations can take several steps to address the WhatsApp zero-click DNG exploit and other cybersecurity threats:

• Develop and deploy coordinated patches and updates to address known vulnerabilities.
• Implement robust security measures, such as encryption, authentication, and access controls, to protect against cyberattacks.
• Conduct regular security audits and penetration testing to identify and address potential vulnerabilities.
• Educate users and employees about cybersecurity best practices and the risks associated with cyberattacks.
• Work together with other vendors and organizations to address cross-platform and cross-device vulnerabilities.

By understanding the risks posed by the WhatsApp zero-click DNG exploit and taking appropriate precautions, individuals, organizations, and vendors can work together to protect against such threats and ensure a safer digital landscape.