IEEE conference paper · MCS · UNSTPB 2026

Zero-Click, Old Tricks: Anatomy of the 2025
WhatsApp–ImageIO Exploit Chain

Ștefan-Daniel Wagner · Dan-Gabriel Oltean · Victor-Nicolae Matveev Coordonator: Emil Simion

Zero-click exploits — attacks that compromise a device without any user interaction — represent the most asymmetric threat in mobile security. This paper analyzes the 2025 WhatsApp–ImageIO zero-click exploit chain, which combined a WhatsApp linked-device authorization bypass (CVE-2025-55177, CWE-863) with a heap out-of-bounds write in Apple's ImageIO framework (CVE-2025-43300, CWE-787) to achieve remote code execution on iOS devices, targeting approximately 200 journalists and civil-society figures over 90 days. We reconstruct the chain from public primary sources and use the Exploit Education Phoenix heap-two exercise as a pedagogical bridge to demonstrate that the core exploitation primitive is identical at the textbook and production levels. We recommend incremental rewriting of high-exposure C/C++ parsers in memory-safe languages and deployment of hardware memory tagging as structural countermeasures.

Download PDF Citation
Sections

Browse by chapter

I

Introduction

Why zero-click chains matter and what the 2025 case reveals.

Read online → PDF
II

Background

The C memory model, CWE classes, iOS media pipeline, FORCEDENTRY precedent.

Read online → PDF
III

Methodology

CVE selection, analysis framework, Phoenix heap-two pedagogical bridge.

Read online → PDF
IV

Case Study

The 2025 chain: delivery (CVE-2025-55177) and exploitation (CVE-2025-43300).

Read online → PDF
V

Discussion

Why mitigations failed, sandbox escape, structural alternatives.

Read online → PDF
VI

Conclusion

Findings and recommendations.

Read online → PDF
Citation

Cite this paper

IEEE-format BibTeX entry:

@inproceedings{wagner2026zeroclick,
  title     = {Zero-Click, Old Tricks: Anatomy of the 2025 WhatsApp--ImageIO Exploit Chain},
  author    = {Wagner, {\c S}tefan-Daniel and Oltean, Dan-Gabriel and Matveev, Victor-Nicolae},
  booktitle = {Master's Research, Metodologia Cerceta\u{r}ii {\c S}tiin\c{t}ifice},
  school    = {Universitatea Na{\c t}ional\u{a} de {\c S}tiin{\c t}\u{a} {\c s}i Tehnologie POLITEHNICA Bucure{\c s}ti},
  year      = {2026},
  note      = {Coordinator: Emil Simion}
}