π± Critical zero-click vulnerability (CVE-2025-55177) within WhatsApp has been leveraged in targeted spyware operations, in conjunction with an Apple Imagel0 flaw (CVE-2025-43300).
This combination enabled malicious actors to disseminate exploits via WhatsApp, resulting in potential data exfiltration from the user’s Apple device.
The attack sequence involved:
π«Attacker-controlled delivery
π«Malicious DNG/remote image (Imagel0) parsing vulnerability (OOB write)
βΏ Remote code execution
All occurring without user engagement.
WhatsApp fixes ‘zero-click’ bug used to hack Apple users with spyware
https://blog.quarkslab.com/patch-analysis-of-Apple-iOS-CVE-2025-43300.html