The flaw allows hackers to access devices even if users do not click on a link or file.