Ethical Hacking News
Zero-Click WhatsApp Attack: A Sophisticated Exploitation Campaign Targeting iPhone Users on iOS 16
A recent security incident has exposed a critical vulnerability in Apple's iOS 16, allowing hackers to gain unauthorized access to WhatsApp accounts without requiring any user interaction. Forensic analysis has revealed that the attackers exploited known vulnerabilities in iOS 16 to hijack WhatsApp sessions, sending messages to contacts and gaining control over the account. This article provides an in-depth look at the zero-click attack and its implications for iPhone users on iOS 16.
Multiple iPhone users in Italy fell victim to a zero-click attack targeting WhatsApp accounts, exploiting known vulnerabilities in iOS 16. The attackers gained unauthorized access to recent chat conversations and sent messages requesting money transfers to contacts, but not older or archived chats. The attacks were linked to CVE-2025-43300 out-of-bounds write issue and potentially CVE-2025-55177, which allowed parsing of content from arbitrary URLs via improperly authorized linked-device sync messages. Upgrading iOS to the latest available version is the most effective mitigation against this attack. Locking chats using WhatsApp's built-in chat lock feature and updating or reinstalling the WhatsApp app can also help evict the attacker's session.
In a disturbing development, multiple iPhone users in Italy have fallen victim to a sophisticated zero-click attack targeting WhatsApp accounts. The attacks, which appear to be linked to known vulnerabilities in iOS 16, exploited the ImageIO framework and CVE-2025-43300 out-of-bounds write issue to gain unauthorized access to WhatsApp sessions without requiring any user interaction.
According to forensic analysis conducted by the Italian digital forensics firm Forenser, the attackers gained access to recent chat conversations and sent messages requesting money transfers to contacts. However, it's worth noting that the attackers were unable to see older or archived chats, suggesting that they may have been limited in their ability to control the account.
The first technical clue came from analyzing iOS unified logs and sysdiagnose data from a compromised device. Forenser described the anomaly as "a continuous sequence of 'resync' events," which is indicative of two endpoints competing to maintain control over the same WhatsApp account. The legitimate phone and the attacker's client were repeatedly re-authenticating with WhatsApp servers in a cycle, with neither side fully displacing the other.
This pattern was observed across all reported cases, which involved iPhone models ranging from iPhone 8 through iPhone 14, including X, XR, XS, 11, SE, 12, and 13 variants. The attackers gained access to the account without triggering any visible notification on the victim's phone or in the WhatsApp app itself.
Forensic analysis revealed that every single case involved iOS 16, leading Forenser's team to investigate known vulnerabilities in that version of Apple's operating system. They discovered a plausible culprit: CVE-2025-43300, potentially in combination with CVE-2025-55177.
The CVE-2025-43300 vulnerability is an out-of-bounds write issue residing in the ImageIO framework. An attacker could exploit it to cause memory corruption when processing a malicious image. Apple addressed the flaw in August 2025, after it discovered it was actively exploited as a zero-day in attacks targeting iOS, iPadOS, and macOS.
CVE-2025-55177 is a WhatsApp-specific flaw on iOS and macOS that allowed parsing of content from arbitrary URLs via improperly authorized linked-device sync messages. According to the CVE description, iOS versions below 16.7.12 are vulnerable; versions matching those found on all the compromised devices analyzed by Forenser.
Supporting this theory, the unified logs from affected devices contained multiple errors generated by the image processing library, occurring at times consistent with when the WhatsApp account compromise took place. Forenser's team reproduced part of the attack scenario in a controlled lab environment using a test device running a vulnerable iOS version. The reproduction confirmed that an attacker who successfully exploits the vulnerability can extract cryptographic material needed for the WhatsApp session handshake directly from the compromised device.
That material can then be used to instantiate a new WhatsApp client elsewhere, attached to the victim's account, without triggering any visible notification on the victim's phone or in the WhatsApp app itself. This model matches exactly what was observed in the real-world cases: an account sending messages to recent contacts despite a complete absence of linked devices visible in the app settings.
Since this appears to be a zero-click attack, traditional user hygiene measures like "don't click suspicious links" do not apply. The most effective mitigation is straightforward: update iOS to the latest available version. CVE-2025-43300 has been patched in releases beyond iOS 16, and every compromised device analyzed by Forenser was running an unpatched iOS 16 build.
For users who suspect their account is already compromised, Forenser's observations suggest a few practical steps. Locking chats using WhatsApp's built-in chat lock feature (which hides conversations behind a PIN or biometric authentication) appears to prevent attackers from reading or writing to those chats. Updating the WhatsApp app itself, or reinstalling it on a new device and completing a fresh authentication, seems effective at evicting the attacker's session.
And since all observed cases involved iOS 16, upgrading the operating system should remove the underlying conditions the attack relies on. One important note for anyone receiving suspicious money requests via WhatsApp is to not reply in the same chat to verify whether the request is legitimate. The attacker may see your response before the legitimate account owner does. Call the person directly instead.
This incident serves as a reminder that zero-click exploits, once the domain of state-sponsored actors with significant resources, are increasingly appearing in financially motivated cybercrime. The combination of known CVEs, widely available technical documentation, and a large population of devices running unpatched iOS 16 creates conditions where sophisticated attacks become operationally feasible for a broader range of threat actors.
As the landscape of cyber threats continues to evolve, it's essential for users to stay informed about the latest vulnerabilities and exploits. Staying up-to-date with the latest security patches and taking proactive measures to protect themselves can significantly reduce the risk of falling victim to such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Zero-Click-WhatsApp-Attack-A-Sophisticated-Exploitation-Campaign-Targeting-iPhone-Users-on-iOS-16-ehn.shtml
https://securityaffairs.com/192627/security/zero-click-whatsapp-account-takeover-hits-iphone-users-running-ios-16-no-linked-devices-no-warning.html
https://nvd.nist.gov/vuln/detail/CVE-2025-43300
https://www.cvedetails.com/cve/CVE-2025-43300/
https://nvd.nist.gov/vuln/detail/CVE-2025-55177
https://www.cvedetails.com/cve/CVE-2025-55177/
Published: Mon May 25 06:44:04 2026 by llama3.2 3B Q4_K_M
