The Indian Computer Emergency Response Team (CERT-In), the nodal agency for responding to cyber security incidents in India, has issued a "High-Severity" security advisory for WhatsApp users, urging millions of people to update their applications immediately to avoid the risk of data compromise.
The alert covers vulnerabilities identified across different versions of the popular messaging platform, with the potential for remote attackers to bypass security authorization and access sensitive user data.
The Critical Vulnerability: What is the Flaw?
CERT-In has flagged several high-risk vulnerabilities in WhatsApp over the past year, with two key areas of concern recently highlighted:
1. Authorization Bypass Flaw (Affecting iOS and Mac)
In a recent advisory (dated September 2025 in the search results), CERT-In warned of a flaw stemming from the improper handling of synchronized messages across linked devices (like WhatsApp Web or Desktop).
-
The Risk: A remote attacker could exploit this weakness to bypass authorization checks. This means the attacker could trigger the processing of content from a malicious URL on a victim's device, leading to the unauthorized access and disclosure of private information such as messages, media, or account details.
- Targeted Attacks: This flaw was noted to be particularly dangerous as it was observed to be working in tandem with an existing operating system-level weakness on Apple platforms, suggesting its use in sophisticated, targeted cyberattacks.
- Affected Versions (iOS/Mac):
-
- WhatsApp for iOS versions prior to 2.25.21.73
- WhatsApp Business for iOS versions prior to 2.25.21.78
- WhatsApp for Mac versions prior to 2.25.21.78
2. File Misconfiguration Flaw (Affecting WhatsApp Desktop for Windows)
Earlier advisories (dated April 2025 in the search results) pointed out a flaw in the Windows desktop application related to how the app handles MIME types and file extensions for attachments.
- The Risk: This misconfiguration allows an attacker to disguise a malicious file as a legitimate attachment. If the user manually opens this file within the WhatsApp Desktop application, it could lead to the execution of arbitrary code on the victim's computer, potentially resulting in data theft or full system compromise (a 'spoofing' attack).
- Affected Versions (Windows Desktop):
-
-
WhatsApp Desktop for Windows versions earlier than 2.2450.6
-
What Users MUST Do Immediately
The primary and most crucial defence against these vulnerabilities is to update your application immediately.
Your Platform Recommended Action iPhone/iPad (iOS) Update WhatsApp and WhatsApp Business to the latest available version from the App Store. Mac Update WhatsApp for Mac to the latest available version from the App Store/official channels. Windows Desktop Update WhatsApp Desktop to version 2.2450.6 or later. General Security Advice from CERT-In
Beyond updating the app, CERT-In and cybersecurity experts advise all users to maintain cautious digital hygiene:
- Avoid Suspicious Links: Do not click on links or open attachments from unknown or untrusted sources.
- Check File Names: Be cautious of attachments that appear unusual or have suspicious file extensions, especially when using the desktop application.
- Update OS: Keep your mobile operating system (iOS/Android) and computer operating system (Windows/Mac) updated, as operating system patches often close other security loopholes.
This advisory serves as a vital reminder that even end-to-end encrypted apps require continuous software updates to patch newly discovered security flaws.
