Based on “Reverse Engineering a WhatsApp 0-Click Vulnerability” by Billy Ellis
TL;DR: CVE-2025–43300 is a critical out-of-bounds write vulnerability in Apple’s ImageIO framework (specifically RawCamera library) that affects iOS devices. By crafting a malicious DNG image file with mismatched metadata values (SamplesPerPixel=2 but NumOfComponents=1), attackers can trigger memory corruption that leads to remote code execution. When paired with CVE-2025–55177 (a WhatsApp-specific bug), this becomes a true zero-click exploit requiring no user interaction whatsoever.
Press enter or click to view image in full size
🔍 Introduction: When Images Become Weapons
Imagine opening a photo on your iPhone and instantly — without tapping anything, clicking any link, or even viewing the full image — your device is compromised. That’s exactly what makes zero-click vulnerabilities so terrifying.
In late 2024 and early 2025, Apple rushed out iOS 18.6.2 to patch just such a vulnerability. This wasn’t some theoretical security flaw discovered in a lab. Security researchers found evidence that this bug was actively being exploited in the wild, meaning real attackers were using it against real people.