Meta warned Windows users to update the WhatsApp messaging app to the latest version to patch a vulnerability that can let attackers execute malicious code on their devices.
Described as a spoofing issue and tracked as CVE-2025-30401, this security flaw can be exploited by attackers by sending maliciously crafted files with altered file types to potential targets.
Meta says the vulnerability impacted all WhatsApp versions and has been fixed with the release of WhatsApp 2.2450.6.
“A spoofing issue in WhatsApp for Windows prior to version 2.2450.6 displayed attachments according to their MIME type but selected the file opening handler based on the attachment’s filename extension,” WhatsApp explained in a Tuesday advisory.
“A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp.”
Meta says an external researcher found and reported the flaw via a Meta Bug Bounty submission. The company has yet to share if CVE-2025-30401 was exploited in the wild.
In July 2024, WhatsApp addressed a slightly similar issue that allowed Python and PHP attachments to be executed without warning when recipients opened them on Windows devices with Python installed.
Often targeted in spyware attacks
More recently, following reports from security researchers at the University of Toronto’s Citizen Lab, WhatsApp also patched a zero-click, zero-day security vulnerability that was exploited to install Paragon’s Graphite spyware.
The company said the attack vector was addressed late last year “without the need for a client-side fix” and decided against assigning a CVE-ID after “reviewing the CVE guidelines published by MITRE, and [its] own internal policies.”
On January 31, after mitigating the security issue server-side, WhatsApp alerted roughly 90 Android users from over two dozen countries, including Italian journalists and activists who were targeted in Paragon spyware attacks using the zero-click exploit.
Last December, a U.S. federal judge also ruled that Israeli spyware maker NSO Group used WhatsApp zero-days to deploy Pegasus spyware on at least 1,400 devices, thus violating U.S. hacking laws.
Court documents revealed that NSO allegedly deployed Pegasus spyware in zero-click attacks that exploited WhatsApp vulnerabilities using multiple zero-day exploits. The documents also said that the spyware maker’s developers reverse-engineered WhatsApp’s code to create tools that sent malicious messages that installed spyware, violating federal and state laws.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
