Meta warned Home windows customers to replace the WhatsApp messaging app to the most recent model to patch a vulnerability that may let attackers execute malicious code on their gadgets.
Described as a spoofing problem and tracked as CVE-2025-30401, this safety flaw might be exploited by attackers by sending maliciously crafted information with altered file sorts to potential targets.
Meta says the vulnerability impacted all WhatsApp variations and has been fastened with the discharge of WhatsApp 2.2450.6.
“A spoofing problem in WhatsApp for Home windows previous to model 2.2450.6 displayed attachments in line with their MIME sort however chosen the file opening handler based mostly on the attachment’s filename extension,” WhatsApp defined in a Tuesday advisory.
“A maliciously crafted mismatch may have induced the recipient to inadvertently execute arbitrary code reasonably than view the attachment when manually opening the attachment inside WhatsApp.”
Meta says an exterior researcher discovered and reported the flaw through a Meta Bug Bounty submission. The corporate has but to share if CVE-2025-30401 was exploited within the wild.
In July 2024, WhatsApp addressed a barely comparable problem that allowed Python and PHP attachments to be executed with out warning when recipients opened them on Home windows gadgets with Python put in.
Usually focused in spy ware assaults
Extra not too long ago, following studies from safety researchers on the College of Toronto’s Citizen Lab, WhatsApp additionally patched a zero-click, zero-day safety vulnerability that was exploited to put in Paragon’s Graphite spy ware.
The corporate stated the assault vector was addressed late final 12 months “with out the necessity for a client-side repair” and determined in opposition to assigning a CVE-ID after “reviewing the CVE tips printed by MITRE, and [its] personal inside insurance policies.”
On January 31, after mitigating the safety problem server-side, WhatsApp alerted roughly 90 Android customers from over two dozen nations, together with Italian journalists and activists who had been focused in Paragon spy ware assaults utilizing the zero-click exploit.
Final December, a U.S. federal decide additionally dominated that Israeli spy ware maker NSO Group used WhatsApp zero-days to deploy Pegasus spy ware on not less than 1,400 gadgets, thus violating U.S. hacking legal guidelines.
Courtroom paperwork revealed that NSO allegedly deployed Pegasus spy ware in zero-click assaults that exploited WhatsApp vulnerabilities utilizing a number of zero-day exploits. The paperwork additionally stated that the spy ware maker’s builders reverse-engineered WhatsApp’s code to create instruments that despatched malicious messages that put in spy ware, violating federal and state legal guidelines.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and learn how to defend in opposition to them.
