Whatsapp plugs bug allowing RCE with spoofed filenames

Meta is warning Whatsapp users of an issue affecting its Windows rollouts that could allow attackers to perform remote code execution (RCE) on systems running the vulnerable releases.

Tracked as CVE-2025-30401, the flaw potentially allows threat actors to trick users into running maliciously crafted files with misleading filename extensions.

“Due to a failing in Whatsapp, a malicious program can easily be disguised as an attached image file,” Adam Brown, managing consultant at Black Duck told CSO. “A malicious attachment could be used for data theft, running malware or spreading it, account and identity theft, or anything a nefarious actor chooses.”

The bug was reported to Meta by an external researcher via Meta Bug Bounty submission and has been fixed in version 2.2450.6.

Users spoofed with mismatched filetype

According to a national vulnerability database (NVD) description, all Whatsapp Desktop releases for Windows prior to version 2.2450.6 displayed attachment files to users according to their Multipurpose Internet Mail Extension (MIME) type.

However, once clicked for viewing, a file opening handler was selected based on the attachment’s filename extension.

“A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside Whatsapp,” Meta said in an advisory.

Brown cautions users against hastily handling external files. “Everyone should be careful when clicking on attachments, even from people they know, and Windows users of Whatsapp should be especially vigilant.”

Meta has not yet disclosed if the flaw has been actively exploited in the wild.

Whatsapp makes for a popular attack vector

Whatsapp has been frequently targeted in the past for its popularity as an encrypted chatting platform. With over 10 billion downloads on Google Play Store alone, the platform makes for a lucrative target for threat actors.

A similar security oversight was reported in July 2024 to be affecting the Whatsapp Windows client, allowing execution of arbitrary Python and PHP scripts on vulnerable systems with suitable coding environments installed.

Commenting on the exploitability of “attachments” related flaws in popular software, Nico Chiaraviglio, chief scientist at Zimperium said, “Attachments remain one of the most common vectors for delivering malicious content. While this specific case involves WhatsApp for Windows, mobile platforms are not exempt.

Attackers regularly leverage file attachments to bypass user trust and deliver malware, phishing payloads, or exploit vulnerabilities.” In a different approach, a zero-click vulnerability impacting Whatsapp’s mobile phone releases was reportedly exploited in zero-day abuses to install Paragon’s Graphite spyware in 2024.