News

Millions of WhatsApp users urged not to open attachments until they update

The messaging platform has rolled out a new update (Picture: Cheng Xin/Getty Images)

WhatsApp has urged users to update after the instant messaging service fixed a security flaw.

The bug, which goes by the catchy name CVE-2025-30401, affects older versions of WhatsApp Desktop for Windows PCs.

Not updating could place personal data at risk, experts warn.

What is the bug?

The bug makes people’s computers vulnerable to ‘spoofing’, which involves cyber crooks disguising their malware as an attached image file.

Clicking on the image lets the malware slip into the device, allowing hackers to execute code – a script tells gadgets what to do.

WhatsApp icon is seen displayed on a phone screen in Krakow, Poland on April 1, 2025. (Photo by Jakub Porzycki/NurPhoto via Getty Images)
The bug only impacts WhatsApp for Windows (Picture: Jakub Porzycki/NurPhoto)

The attack, called arbitrary code execution, uses a dodgy program to rip open a device’s backdoor so scammers can steal passwords, turn off security protections and even seize control of the device.

On the WhatsApp desktop version, the instant messaging service displays attachments based on their MIME type – metadata labelling the file type.

But because of the bug, WhatsApp would instead open the file based on its filename extension, the little suffix that labels the file type, like ‘.mp3’ for a music file.

Or ‘.exe’, short for ‘executable’, a set of instructions for a computer. The worry, experts said, is hackers disguising these .exe files that execute attacks as harmless images.

‘A spoofing issue in WhatsApp for Windows prior to version 2.2450.6 displayed attachments according to their MIME type but selected the file opening handler based on the attachment’s filename extension,’ the company said in a security advisory.

‘A maliciously crafted mismatch could have caused the recipient to inadvertently execute arbitrary code rather than view the attachment when manually opening the attachment inside WhatsApp.’

Mandatory Credit: Photo by Jakub Porzycki/NurPhoto/REX/Shutterstock (14525350a) WhatsApp on App Store displayed on a phone screen is seen in this illustration photo taken in Poland on June 5, 2024. Apps On App Store Photo Illustrations, Sulkowice, Poland - 05 Jun 2024
Users are advised to update as soon as possible (Picture: Jakub Porzycki/NurPhoto/REX/Shutterstock)

This update has patched out the flaw, so users are advised to update WhatsApp for Windows to version 2.2450.6 or later as soon as possible.

Once the software is fully updated, people’s sensitive data will be secure.

WhatsApp or its parent company Meta did not say the flaw had been exploited in real-life attacks.

CVE-2025-30401 was reported by a researcher to Meta’s bug bounty program.

‘Think of WhatsApp the same way as email,’ Dr Martin Kraemer, security awareness advocate at KnowBe4, told Forbes.

‘You would not want to open an unexpected email attachment, especially not from someone you do not know.

‘You also would not want to forward attachments that pose risks to friends or family. If in doubt, delete the message and file.’

Get in touch with our news team by emailing us at webnews@metro.co.uk.

For more stories like this, check our news page.

Related Posts:
(Visited 1 times, 1 visits today)

Related Posts

A ‘ballot selfie’ could get you more than likes in Illinois

How Chicago coffeehouses shaped folk music’s revival

Bulls have a new ‘Big Three,’ but they also have three big decisions to make

Leave a Reply

Your email address will not be published. Required fields are marked *