A bug in WhatsApp for Windows can be exploited to execute malicious code by anyone crafty enough to persuade a user to open a rigged attachment - and, to be fair, it doesn't take much craft to pull that off.

The spoofing flaw, tracked as [1]CVE-2025-30401 , affects all versions of WhatsApp Desktop for Windows prior to 2.2450.6, and stems from a bug in how the app handles file attachments.

Specifically, WhatsApp displays attachments based on their MIME type - the metadata meant to indicate what kind of file it is - but when a user opens the file, the app hands it off based on its filename extension instead. That means something disguised as a harmless image with the right MIME type but ending in .exe could be executed as a program - if the user clicks it.

[2]

"A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp," WhatsApp's parent company Meta [3]explained in its security advisory.

[4]

[5]

While WhatsApp is always an attractive [6]target for miscreants , this particular bug does require user interaction – the victim has to manually open the malicious attachment for the payload to run.

But this wouldn't be too hard, as many users are apt to click on anything - and even a savvy netizen may be inclined to open an attachment sent from, say, someone they didn't know but who belonged to their neighborhood watch WhatsApp group. A program run in this way may run into other defenses on your system, we note.

[7]Russia's Star Blizzard phishing crew caught targeting WhatsApp accounts

[8]If you dread a Microsoft Teams invite, just wait until it turns out to be a Russian phish

[9]Paragon spyware deployed against journalists and activists, Citizen Lab claims

[10]Scattered Spider stops the Rickrolls, starts the RAT race

Make sure you're running a version of WhatsApp for Windows higher than 2.2450.6 to be safe.

"This is a particularly nasty vulnerability for the everyday user," Adam Brown, managing security consultant at Black Duck, said in an email to The Register about this vulnerability.

[11]

"A malicious attachment could be used for data theft, running malware or spreading it, account and identity theft, or anything a nefarious actor chooses," Brown added. "Everyone should be careful when clicking on attachments, even from people they know, and Windows users of WhatsApp should be especially vigilant."

Whether anyone's actually doing this in the wild remains unclear – the advisory doesn't say if the flaw is being exploited. ®

Get our [12]Tech Resources



[1] https://nvd.nist.gov/vuln/detail/CVE-2025-30401#VulnChangeHistorySection

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Z_Wcg-vH73AXWV_L7pWryAAAAQI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://www.facebook.com/security/advisories/CVE-2025-30401?lsrc=lb

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z_Wcg-vH73AXWV_L7pWryAAAAQI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Z_Wcg-vH73AXWV_L7pWryAAAAQI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[6] https://www.theregister.com/2025/01/16/russia_star_blizzard_whatsapp/

[7] https://www.theregister.com/2025/01/16/russia_star_blizzard_whatsapp/

[8] https://www.theregister.com/2025/02/15/russia_spies_spoofing_teams/

[9] https://www.theregister.com/2025/03/21/paragon_spyx_hacked/

[10] https://www.theregister.com/2025/04/08/scattered_spider_updates/

[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Z_Wcg-vH73AXWV_L7pWryAAAAQI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[12] https://whitepapers.theregister.com/