Reverse Engineering a WhatsApp 0-Click Vulnerability: A Deep Dive into CVE-2025–43300
嗯,用户让我帮忙总结一篇文章,控制在100字以内,而且不需要特定的开头。首先,我得仔细阅读文章内容,理解主要信息。 文章讲的是WhatsApp的一个零点击漏洞,CVE-2025–43300。这是一个苹果ImageIO框架中的内存溢出漏洞,通过恶意DNG图片触发。攻击者可以远程执行代码,结合WhatsApp的另一个漏洞,变成零点击攻击。 用户的需求是总结内容,所以我要抓住关键点:漏洞名称、影响范围、触发方式、攻击效果以及苹果的应对措施。同时要注意字数限制。 可能用户是安全研究人员或者普通读者,想快速了解漏洞情况。深层需求可能是获取关键信息以便进一步分析或分享。 总结的时候要简洁明了,确保涵盖所有重要细节,同时不超过100字。 </think> 苹果ImageIO框架存在严重内存溢出漏洞(CVE-2025–43300),可通过恶意DNG图片触发远程代码执行。结合WhatsApp特定漏洞(CVE-2025–55177),形成零点击攻击。此漏洞已被用于真实攻击,并促使苹果紧急发布iOS 18.6.2修复补丁。 2026-4-3 06:1:23 Author: infosecwriteups.com(查看原文) 阅读量:6 收藏

Krishna Kumar

Based on “Reverse Engineering a WhatsApp 0-Click Vulnerability” by Billy Ellis

TL;DR: CVE-2025–43300 is a critical out-of-bounds write vulnerability in Apple’s ImageIO framework (specifically RawCamera library) that affects iOS devices. By crafting a malicious DNG image file with mismatched metadata values (SamplesPerPixel=2 but NumOfComponents=1), attackers can trigger memory corruption that leads to remote code execution. When paired with CVE-2025–55177 (a WhatsApp-specific bug), this becomes a true zero-click exploit requiring no user interaction whatsoever.

Press enter or click to view image in full size

🔍 Introduction: When Images Become Weapons

Imagine opening a photo on your iPhone and instantly — without tapping anything, clicking any link, or even viewing the full image — your device is compromised. That’s exactly what makes zero-click vulnerabilities so terrifying.

In late 2024 and early 2025, Apple rushed out iOS 18.6.2 to patch just such a vulnerability. This wasn’t some theoretical security flaw discovered in a lab. Security researchers found evidence that this bug was actively being exploited in the wild, meaning real attackers were using it against real people.


文章来源: https://infosecwriteups.com/reverse-engineering-a-whatsapp-0-click-vulnerability-a-deep-dive-into-cve-2025-43300-d8d425644fe9?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh