Beware WhatsApp users: CERT-In flags high-severity vulnerability in Windows Desktop app | Here’s how to stay safe

The Indian Computer Emergency Response Team (CERT-In), which comes under the Ministry of Electronics and Information Technology, Government of India, has issued a high-severity alert concerning a newly discovered spoofing vulnerability in WhatsApp Desktop for Windows. Identified as CIVN-2025-0075, the flaw affects application versions earlier than 2.2450.6.

Notably, the vulnerability poses a serious risk to users of the popular messaging platform’s desktop version, potentially exposing systems to unauthorised access, data theft, and malicious code execution, as per the government advisory.

According to the advisory, the vulnerability arises from a misconfiguration in how MIME (Multipurpose Internet Mail Extensions) types and file extensions are handled for attachments. This mismatch affects how web browsers interpret and process files received from a server, potentially allowing malicious files to bypass security checks. 

Once these crafted files are opened manually within WhatsApp Desktop, they could trigger the execution of arbitrary code on the victim’s machine.

WhatsApp, owned by Meta, is widely used for communication across mobile and desktop platforms, offering end-to-end encryption for privacy. However, this desktop-specific flaw could undermine those security assurances, especially for Windows users who have not updated to the latest version.

How to stay safe

CERT-In has urged users to update their WhatsApp Desktop application to version 2.2450.6 or later to immediately mitigate any potential threats. Users are also advised to exercise caution while opening attachments from unknown sources, particularly those that appear suspicious or lack expected file extensions.

To recall, WhatsApp took decisive action by banning more than 8.4 million accounts within a single month in August last year. The move was undertaken by its parent company, Meta, aimed to curb the increasing misuse of the platform for fraudulent activities. The decision followed a surge in reports from users flagging scams and suspicious behaviour.

Notably, Meta's action aligned with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, particularly under Rule 4(1)(d) and Rule 3A(7).