Do Son 
Meta has issued a warning to Windows users, advising them to update WhatsApp to the latest version in order to patch a critical vulnerability that could allow attackers to execute malicious code on targeted devices.
The flaw, tracked as CVE-2025-30401, stems from a file type spoofing issue that enables threat actors to send specially crafted attachments disguised as harmless files. If a victim opens such a file, it may silently trigger the execution of malicious code.
According to Meta, the vulnerability affected all versions of WhatsApp for Windows and was addressed in update 2.2450.6.
As detailed in the official advisory, vulnerable versions of the application rendered attachments based on their MIME type but executed them according to their file extension. This mismatch could lead to the unexpected execution of harmful programs if a user manually opened the file within WhatsApp.
The vulnerability was discovered by an external researcher and reported through Meta’s Bug Bounty program. At present, there is no confirmation whether it has been exploited in real-world attacks.
This is not the first such incident. In July 2024, WhatsApp patched a similar issue whereby attachments with .py and .php extensions could execute without warnings if Python was installed on the machine.
WhatsApp has frequently been the target of surveillance operations. Recently, following an investigation by the University of Toronto and Citizen Lab, the platform patched a zero-day vulnerability exploited to install Graphite spyware, developed by the Israeli firm Paragon.
That issue was quietly resolved server-side by the end of last year and was not assigned a CVE, citing MITRE’s guidance and Meta’s internal policy.
On January 31, WhatsApp notified approximately 90 Android users across more than twenty countries—including journalists and human rights defenders in Italy—of surveillance attempts involving that zero-day exploit.
Furthermore, in December 2024, a U.S. court ruled that the Israeli NSO Group had used WhatsApp vulnerabilities to deploy its Pegasus spyware on over 1,400 devices, in violation of U.S. law.
Court documents revealed that NSO leveraged multiple zero-day flaws to deliver malicious payloads silently. The company’s developers allegedly studied WhatsApp’s source code and built custom tools for injecting spyware—actions that constituted further breaches of both federal and state regulations.
