Users of the Windows desktop and laptop version of WhatsApp are being warned by Meta to update to the latest version of the software (2.2450.6) to patch a flaw that attackers could exploit. The WhatsApp vulnerability involves use of a malicious attachment to execute arbitrary code, but is the result of a Meta Bug Bounty program report rather than any known instances of exploitation in the wild.
WhatsApp vulnerability only impacts Windows users
The WhatsApp vulnerability is not present on mobile phones and devices, only in the desktop and laptop client that can be installed on Windows PCs. The macOS version does not appear to be impacted.
Meta has voluntarily disclosed the new WhatsApp vulnerability, now published as CVE-2025-30401, after investigating it internally as a submission to its bug bounty program. The company says there is not yet evidence that it has been exploited in the wild. The issue likely impacts all Windows versions prior to 2.2450.6.
The WhatsApp vulnerability hinges on an attacker sending a malicious attachment, and would require the target to attempt to manually view the attachment within the software. A spoofing issue makes it possible for the file opening handler to execute code that has been hidden as a seemingly valid MIME type such as an image or document. That could pave the way for remote code execution, though a CVE score has yet to be assigned as of this writing.
Spearphishing would be the most likely application of this particular WhatsApp vulnerability. If the target is not oblivious to basic security hygiene, they would need to believe that the message is coming from a legitimate source and manually interact with the malicious attachment. But it is more risky than some vulnerabilities as the malware code could be disguised as a file format that one would normally assume could not possibly contain a virus, like a JPG or GIF file.
WhatsApp should automatically update or prompt users to update when the software is started. If it does not for some reason, the software should be uninstalled and the latest version re-downloaded from a trusted source.
All prior Windows versions of WhatsApp thought to be vulnerable
WhatsApp has been dealing with something of a string of security issues dating back nearly a year. The company has been targeted by multiple leading spyware companies as a vector of attack for their government clients, most recently the Paragon group and their “Graphite” spyware. The company patched out the vulnerability that allowed Graphite to operate in late 2024 without assigning a CVE ID to it. News reports published in January of this year indicate that although Paragon is supposed to be an “ethical” spyware firm that only sells to national governments for legitimate law enforcement purposes, investigators with the University of Toronto’s Citizen Lab found that around 100 journalists and activists around the world were targeted by assorted company clients.
The WhatsApp vulnerability exploited by Paragon was a much more devastating zero-click (and one that targeted phones and mobile devices), similar to one exploited by NSO Group on the platform to compromise over a thousand devices. That landed the spyware vendor in trouble in US courts, where it was found to have violated national hacking laws. The court found that NSO Group had obtained WhatsApp’s underlying code and reverse-engineered it to create at least several zero-click vulnerabilities that it put to use in its spyware.
And though it is not connected to the spyware manufacturers, a WhatsApp vulnerability reported in July 2024 made it possible for Python and PHP attachments to be arbitrarily executed. This attack also only impacted the Windows client, but was more limited in that Python also had to be installed on target machines. That incident revealed that Python and PHP files are not on WhatsApp’s list of potentially dangerous extensions that pop an intermediate “Open” or “Save” window when the user interacts with them, instead directly executing from the app. At the time Meta dismissed the idea of adding these files to its WhatsApp block list, regarding it as a non-issue.
In May of that year, a report published in the Intercept also accused governments of being able to bypass WhatsApp’s encryption. The report was amplified by Elon Musk, who posted on X that the messaging app exported user data nightly to comb through for digital advertising purposes. However, a deeper dive suggests that it is likely that governments are only accessing metadata and call logs, and that Meta’s general advertising practices do not include decrypting and scanning user messages.
Nico Chiaraviglio, Chief Scientist at Zimperium, notes that the incident illustrates an underlooked vulnerability in cybersecurity hygiene. User assumption that certain file types are always safe to open, so long as the extension looks to be legitimate and the source is not unknown, may need to be re-examined by organizational training programs: “This vulnerability highlights a broader issue that applies across all platforms: attachments remain one of the most common vectors for delivering malicious content. While this specific case involves WhatsApp for Windows, mobile platforms are not exempt. Attackers regularly leverage file attachments to bypass user trust and deliver malware, phishing payloads, or exploit vulnerabilities. Security teams should adopt a layered defense strategy including attachment scanning, behavioral analysis, and user education across both desktop and mobile environments.”
Adam Brown, Managing Consultant at Black Duck, observes that software developers must consider this possibility as well: “This is a particularly nasty vulnerability for the everyday user … To avoid such bugs, engineers should keep threat models up to date and especially in this case, engage coding standards and code review, both automated and manual to protect their bottom line by building trust in their software.”
