Zero-Click WhatsApp Account Takeover Attack Targets iOS 16 Users via Image-Based Exploit Chain
A zero-click WhatsApp account takeover attack targeting iOS 16 users has been uncovered, chaining an Apple ImageIO flaw with a WhatsApp linked-device sync vulnerability to silently hijack sessions.
A new zero-click attack chain is enabling attackers to silently take over WhatsApp accounts on iOS 16 devices without any user interaction or visible linked devices, according to a forensic investigation by Italian security firm Forenser. Victims, primarily using iPhones running iOS 16 across models from iPhone 8 to iPhone 14, have reported unauthorized messages being sent from their accounts requesting money transfers, yet found no suspicious activity in the "Linked Devices" section. The attack is particularly dangerous because it does not require the victim to click a link, scan a QR code, or perform any action, making it significantly harder to detect than traditional WhatsApp hijacking techniques.
The attack chains two distinct vulnerabilities: CVE-2025-43300, an Apple ImageIO out-of-bounds write flaw, and CVE-2025-55177, a WhatsApp linked-device synchronization vulnerability affecting iOS versions below 16.7.12. CVE-2025-43300 enables malicious image-based exploitation, allowing attackers to deliver a payload through a specially crafted image file. Once the image is processed by the iOS ImageIO framework, the attacker can exploit CVE-2025-55177 to extract cryptographic session data directly from the device, enabling them to initialize a rogue WhatsApp client tied to the victim's account without triggering alerts.
Forenser's analysis identified unusual "resync" events in iOS unified logs, indicating that both the victim's device and the attacker's client were simultaneously competing to maintain control over the same WhatsApp session. This behavior suggests that the attacker establishes a parallel session without registering it as a linked device, effectively bypassing WhatsApp's visibility controls. Supporting evidence includes repeated image-processing errors documented in system logs at the time of compromise, reinforcing the likelihood of a malicious payload delivered via image-based vectors.
In controlled lab testing, Forenser successfully reproduced parts of the attack, confirming that session hijacking can occur without user awareness and without leaving typical forensic traces such as new device pairings. The attack is believed to be financially motivated, as victims have reported unauthorized messages requesting money transfers. This marks a significant escalation in the accessibility of zero-click exploits, which were once limited to advanced state-sponsored operations but are now increasingly adopted by financially motivated cybercriminals.
Apple has already patched CVE-2025-43300 in newer iOS releases, and users are strongly advised to update their devices to the latest iOS version immediately. Additional protective steps include reinstalling WhatsApp, enabling chat lock features to restrict unauthorized access, and re-authenticating accounts on clean devices to invalidate attacker sessions. Users should also avoid responding to suspicious financial requests via WhatsApp and instead verify them by phone, as attackers may intercept ongoing conversations.
The widespread use of unpatched iOS 16 devices combined with publicly documented vulnerabilities has created an expanded attack surface, enabling threat actors to scale sophisticated attacks more effectively. This incident underscores the urgency of timely patching and proactive mobile security practices in defending against evolving zero-click threats. As investigations continue, the security community is closely monitoring for any signs of broader exploitation or additional attack vectors targeting the same vulnerability chain.