Beware WhatsApp users: CERT-In flags high-severity vulnerability in Windows Desktop app — here’s how to stay safe

The Indian Computer Emergency Response Team (CERT-In), which comes under the Ministry of Electronics and Information Technology, Government of India, has issued a high-severity alert concerning a newly discovered spoofing vulnerability in WhatsApp Desktop for Windows. Identified as CIVN-2025-0075, the flaw affects application versions earlier than 2.2450.6.

Notably, the vulnerability poses a serious risk to users of the popular messaging platform’s desktop version, potentially exposing systems to unauthorised access, data theft, and malicious code execution, as per the government advisory.

According to the advisory, the issue stems from a misconfiguration between the MIME type and the file extension handling for attachments. This weakness could allow attackers to bypass security controls by disguising malicious files as legitimate ones. Once these crafted files are opened manually within WhatsApp Desktop, they could trigger the execution of arbitrary code on the victim’s machine.

WhatsApp, owned by Meta, is widely used for communication across mobile and desktop platforms, offering end-to-end encryption for privacy. However, this desktop-specific flaw could undermine those security assurances, especially for Windows users who have not updated to the latest version.

How to stay safe

CERT-In has urged users to update their WhatsApp Desktop application to version 2.2450.6 or later immediately to mitigate any potential threats. Users are also advised to exercise caution while opening attachments from unknown sources, particularly those that appear suspicious or lack expected file extensions.

This vulnerability serves as a reminder of the importance of regular software updates and vigilance while interacting with digital communications, especially on widely-used platforms.

To recall, WhatsApp took decisive action by banning more than 8.4 million accounts within a single month. The move was undertaken by its parent company Meta, aimed to curb the increasing misuse of the platform for fraudulent activities. The decision followed a surge in reports from users flagging scams and suspicious behaviour.

In its latest Transparency Report, Meta detailed its enforcement efforts, revealing that 8.45 million WhatsApp accounts in India were disabled between 1 August and 31 August. 

Notably, this action aligned with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, particularly under Rule 4(1)(d) and Rule 3A(7).