If you use the Windows client of WhatsApp, it’s time to check and see if it’s been updated recently. Versions prior to 2.2450.6 are subject to a bug that allows threat actors to attack users via file attachments that look innocuous, such as image files. The WhatsApp vulnerability allows them to disguise malicious code this way, which can then be executed if the user interacts with the attachment within the software.
The code is somewhat similar to a July 2024 issue discovered in the WhatsApp client, allowing malicious Python and PHP scripts to slide through as attachments without triggering a usual safety prompt reserved for executables. However, this particular WhatsApp vulnerability allows an attacker to disguise their code as just about anything that would normally not raise user alarms.
WhatsApp vulnerability likely impacts all prior versions
The WhatsApp vulnerability has not yet been seen in any attacks in the wild, but rather is the result of a Meta Bug Bounty report and has been disclosed by the company after being patched. Users will need version 2.2450.6 or later of the software to address it, however.
This is far from the first WhatsApp vulnerability to be in the news in recent years, but much of that has been due to it being targeted by the world’s leading spyware manufacturers. Both Paragon and NSO Group, both Israel-based firms widely used by world governments, have deployed zero-days against the platform that have later landed them in legal and public relations troubles. NSO Group has been accused in court of obtaining WhatsApp source code and reverse-engineering it to identify vulnerabilities and develop exploits for this purpose.
The July 2024 WhatsApp vulnerability does not appear to be connected to this one, and neither appear to be part of those spyware campaigns. But it does share a similarity in that it exploits attachments and how they are opened in the app. WhatsApp is supposed to identify potential executables and stop short of running them when users interact with them, instead presenting them with an “Open” or “Save” dialogue box. This most recent vulnerability allows executables to be hidden as other valid MIME file types that will not trigger this step when the user interacts with them.
Windows users should update right away to disable new WhatsApp vulnerability
It appears that phone and mobile device users, as well as macOS client users, do not have to worry about the new WhatsApp vulnerability. But Windows users should update as soon as possible. The vulnerability has been published as CVE-2025-30401 but not yet assigned a severity score. There does not appear to be a remediation method other than updating to the latest version or reinstalling.
The WhatsApp vulnerability ultimately appears to be an oversight in the code allowing for spoofing, and though it is somewhat limited in its application it is nevertheless dangerous. If an attacker can mimic a trusted source, they could very well convince a target to open what appears to be a harmless image or other file that one would not be expecting an ambush from.
It is somewhat surprising that this method is not more heavily targeted by hackers, and the incident illustrates that it is something both security teams and software developers may well need to pay more attention to. At the organizational IT end, a multi-layer defense that incorporates both attachment scanning and user education about the possible risks of seemingly benign file types will almost certainly help.
