Full Report
The Zero Day Initiative is offering a $1 million reward to security researchers who will demonstrate a zero-click WhatsApp exploit at its upcoming Pwn2Own Ireland 2025 hacking contest. [...]
Analysis Summary
This article primarily discusses upcoming Pwn2Own contest incentives, particularly a large cash reward for finding a zero-click WhatsApp exploit. It does **not** detail a specific, confirmed vulnerability (CVE), patch, or exploitation status for an existing flaw. The information below reflects the context provided regarding the contest rules and incentives.
# Vulnerability: Pwn2Own WhatsApp Zero-Click Exploit Incentive
## CVE Details
- CVE ID: N/A (This refers to a hunt for unknown vulnerabilities)
- CVSS Score: N/A
- CWE: N/A
## Affected Systems
- Products: WhatsApp (specific details on vulnerable versions are not provided as the contest seeks them)
- Versions: TBD (Vulnerable versions are the target of the research contest)
- Configurations: TBD
## Vulnerability Description
The Zero Day Initiative (ZDI) is offering a \$1,000,000 cash award for a successful, chainable, **0-click exploit for WhatsApp that leads to code execution**. Lesser awards are available for other WhatsApp exploits. The contest also covers various other devices, including flagship smartphones (Samsung Galaxy S25, Google Pixel 9, iPhone 16), smart glasses, headsets, networking, home/surveillance equipment. Attack vectors include traditional wireless (Wi-Fi, Bluetooth, NFC) and new physical vectors like USB port exploitation on locked mobile devices.
## Exploitation
- Status: No specific exploit is detailed; this is an incentive to *find* 0-day exploits.
- Complexity: High (A 0-click code execution chain is inherently complex).
- Attack Vector: Varies by category, but the main WhatsApp focus implies Network/Messaging vector exploitation.
## Impact
The potential impact of a successful 0-click WhatsApp RCE exploit would be:
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
- Patches will only become available *after* a vulnerability is successfully demonstrated at the contest, followed by a 90-day coordinated disclosure window with the vendor. No current patches are mentioned.
### Workarounds
- No workarounds are provided, as no specific vulnerability has been disclosed.
## Detection
- **Indicators of compromise:** None specific to a yet-to-be-discovered flaw.
- **Detection methods and tools:** ZDI coordinates disclosure, implying that detection methods will be developed post-exploitation and post-patch release.
## References
- Pwn2Own WhatsApp Awards Information (Refer to Zero Day Initiative announcements)
- [Trend Micro Zero Day Initiative - Pwn2Own](https://www.zerodayinitiative.com/blog/) (Defanged: hxxps://www.zerodayinitiative.com/blog/)