WhatsApp 0-Click Exploit Disclosed to Meta at Pwn2Own Security Event

Cybersecurity researchers from Team Z3 have withdrawn their planned demonstration of a zero-click remote code execution vulnerability in WhatsApp at the Pwn2Own Ireland 2025 hacking competition, opting instead for private coordinated disclosure to Meta.

The high-stakes exploit, which stood to earn a record-breaking $1 million bounty, was one of the most anticipated demonstrations at the three-day event held in Cork, Ireland, from October 21-23.​

The withdrawal left on-site spectators and fellow competitors disappointed, as the WhatsApp exploit represented the contest’s crown jewel and potentially the largest single payout in Pwn2Own history.

According to the Zero Day Initiative (ZDI), the event organizers, Team Z3 felt their research was not ready for a live public display.

pic.twitter.com/cE3pSZklzA

— Trend Zero Day Initiative (@thezdi) October 23, 2025

Despite the absence of a public demonstration, ZDI emphasized the positive security outcome, noting that their analysts would conduct initial assessments before handing ...