Researchers disclosed a dangerous zero-click remote code execution (RCE) vulnerability chain affecting WhatsApp on Apple’s iOS, macOS, and iPadOS. The attack leverages two distinct flaws — CVE-2025-55177 and CVE-2025-43300 — to compromise devices without any user interaction by delivering a specially crafted DNG image via WhatsApp.

The chain begins with CVE-2025-55177, a critical logic error in WhatsApp’s message handling. According to the researchers, WhatsApp fails to properly validate that an incoming message originates from a legitimately linked device. This oversight lets an attacker spoof a trusted source and deliver malicious content while bypassing initial security checks.

Once delivered, the exploit triggers CVE-2025-43300, a vulnerability in WhatsApp’s DNG image parsing library. The attacker crafts a malformed DNG file that causes memory corruption when processed, enabling remote code execution. Researchers published a proof-of-concept (PoC) that automates the attack: logging into WhatsApp, generating the malformed DNG payload, and sending it to a target phone number. Because it requires no user action, the attack is silent and highly effective.

A successful exploit could grant an attacker full control of the target device, allowing access to sensitive data, surveillance of communications, and deployment of additional malware — all without visible indicators to the victim. The disclosure underscores persistent risks associated with complex file formats and cross-platform messaging apps; file parsers remain a frequent source of RCE vulnerabilities.

Researchers noted that analysis continues, including investigation of a separate Samsung-related issue. Meanwhile, users are strongly advised to keep WhatsApp and their Apple operating systems updated and to apply security patches promptly when vendors release fixes to mitigate this high-risk threat. Organizations should also monitor network logs for suspicious WhatsApp traffic, restrict exposure where possible, and apply mobile device management controls in enterprise environments. Vendors (WhatsApp and Apple) are expected to issue patches addressing the flaws.