Italian digital forensics firm Forenser has uncovered a sophisticated zero-click attack campaign that enables threat actors to covertly compromise WhatsApp accounts while legitimate users remain actively logged in and unaware of the intrusion.

The incidents primarily affected iPhone users running iOS 16, spanning devices from the iPhone 8 through the iPhone 14 series. Victims reported unauthorized WhatsApp messages requesting money transfers being sent from their accounts, despite no unfamiliar sessions or devices appearing within the app’s “Linked Devices” section.

What did researchers identified

Forensics ’ analysis identified unusual “resync” events in iOS unified logs, indicating that both the victim’s device and the attacker’s client were simultaneously competing to maintain control over the same WhatsApp session.

The attack chain combined two separate vulnerabilities to achieve a stealthy WhatsApp account takeover on vulnerable iPhones.

• The first flaw, CVE-2025-43300, is an out-of-bounds write vulnerability within Apple’s ImageIO framework, a core iOS component responsible for processing image files.
• By exploiting this ImageIO flaw, attackers could potentially execute malicious code on targeted iPhones without requiring any user interaction, making it a true zero-click exploit.
• The second vulnerability, CVE-2025-55177, affected WhatsApp’s linked-device synchronization mechanism on iOS devices running versions earlier than iOS 16.7.12.

Attackers reportedly leveraged this WhatsApp synchronization weakness to secretly instantiate and maintain unauthorized WhatsApp sessions on compromised devices. The chained exploitation enabled threat actors to bypass normal WhatsApp security visibility, meaning compromised sessions did not appear under the app’s “Linked Devices” section.

Impact on Users

• Attackers can gain full access to a victim’s WhatsApp account without the user clicking any link or opening any file.
• Victims may not receive any warning, notification, or suspicious login alert during the compromise.
• The hijacked session does not appear under WhatsApp’s “Linked Devices,” making detection extremely difficult.
• Cybercriminals can impersonate victims and send fraudulent messages to contacts requesting money transfers or sensitive information.
• Personal conversations, shared media, and confidential data may be exposed to attackers.
• Users can experience ongoing session instability due to simultaneous access attempts between the legitimate device and the attacker.
• Traditional phishing awareness offers limited protection because the exploit requires zero user interaction.
• Individuals running outdated or unpatched iOS 16 versions face a significantly higher risk of compromise.
• Financial fraud risks increase as attackers exploit trust between victims and their contacts.
• Business users may face corporate data exposure, reputational damage, and unauthorized access to sensitive communications.

The attack demonstrates how mobile messaging platforms are increasingly becoming high-value targets for sophisticated cybercriminals. It highlights the critical importance of rapid OS updates, mobile threat monitoring, and secure communication practices.

Reminder for Organization on timely patching

This incident serves as a critical reminder for organizations that making timely patch management and proactive mobile security essential components of enterprise defense strategies.

The importance of adopting proactive threat intelligence, incident response readiness and Zero Trust security principles cannot be neglected.

When it is essential to defend against increasingly advanced attacks targeting communication platforms and sensitive business data in modern cyber warfare.

Sources: Zero-Click WhatsApp Account Takeover Hits iPhone Users Running iOS 16. No Linked Devices, No Warning