WhatsApp for Windows Spoofing Vulnerability Leading to Arbitrary Code Execution

Overview 

CVE-2025-30401 is a spoofing vulnerability in WhatsApp for Windows (versions prior to 2.2450.6) that could allow an attacker to trick a user into executing malicious code by exploiting a mismatch between a file's MIME type and its actual file extension.

When a user manually opens an attachment in WhatsApp, the application determines how to handle the file based on its filename extension rather than its MIME type. A malicious actor could craft a file with a harmless-looking extension (e.g., .txt) but embed executable content (e.g., .exe or .bat). If the victim opens the file, Windows may execute the malicious payload instead of displaying it as a text file. 

Technical Details

• Vulnerable Component: WhatsApp for Windows (before v2.2450.6)

• Attack Vector: Maliciously crafted file attachment sent via WhatsApp

• Impact: Arbitrary code execution with the privileges of the logged-in user

• CWE-ID: CWE-347 (Improper Verification of Cryptographic Signature)

• CVSS Score: Likely High (Official score pending from NVD)

• NVD Published Date:04/05/2025

• NVD Last Modified:04/08/2025

Attack Scenario 

Step 1: Crafting the Malicious File

An attacker creates a file with a deceptive extension:

• Actual File: malicious_script.exe

• Renamed File: invoice.txt.exe (but displayed as invoice.txt due to MIME type spoofing)

Alternatively, the attacker could use:

• A double extension (document.pdf.exe → appears as document.pdf)

• A right-to-left (RTL) override trick (malicious.exe → displayed as txt.exe due to Unicode manipulation)

Step 2: Sending the File via WhatsApp

The attacker sends the malicious file to the victim through WhatsApp. Since WhatsApp relies on the MIME type to display the file (e.g., text/plain), the victim sees it as a harmless text file.

Step 3: Victim Opens the File

When the victim manually opens the attachment:

1. WhatsApp checks the MIME type (displaying it as a text file).

2. However, Windows uses the file extension (.exe) to determine the handler, leading to code execution.

Potential Impact

• Malware Execution: The attacker could deploy ransomware, spyware, or a remote access trojan (RAT).

• Credential Theft: The payload could steal saved passwords or session cookies.

• Lateral Movement: If the victim has elevated privileges, the attack could spread across a network.

Mitigation & Fixes

• Update WhatsApp: Upgrade to WhatsApp for Windows v2.2450.6 or later, where the file handler selection aligns with MIME type verification.

• User Awareness: Avoid opening unexpected attachments, even from known contacts.

• Windows Defender: Ensure real-time scanning is enabled to detect malicious files.

• Disable Auto-Execution: Restrict execution of files from temporary directories.

Conclusion

CVE-2025-30401 highlights the risks of improper file handling in messaging applications. By exploiting the discrepancy between MIME types and file extensions, attackers can deceive users into executing malicious code. Users should apply security updates promptly and exercise caution when opening attachments.

References:

• NVD Entry for CVE-2025-30401