WhatsApp, the ubiquitous messaging app owned by Meta, boasts over 2 billion users worldwide. Its end-to-end encryption has made it a go-to for secure communication, but like any software, it’s not immune to vulnerabilities.
Over the years, WhatsApp has faced numerous security issues, from buffer overflows enabling spyware to zero-click exploits. This blog explores some of the most critical vulnerabilities in WhatsApp’s history, highlighting the risks and the importance of staying updated. We’ll draw from official advisories, security audits, and expert analyses to provide a balanced view.
A Brief Historical Overview
WhatsApp’s security journey has been marked by evolving threats and responses. Early criticisms focused on lack of encryption and plaintext transmissions, which were addressed with the introduction of end-to-end encryption in 2016. However, vulnerabilities have persisted, often exploited by advanced actors like nation-states or cybercriminals.
In 2011, researchers demonstrated account hijacking via intercepted verification messages on Symbian and Android devices. By 2012, messages were encrypted, but the method was deemed “broken” by experts. The app scored highly on secure messaging evaluations but lost points for not being fully open-source. Privacy concerns arose with data sharing to Facebook in 2016 and metadata collection policies in 2021, leading to regulatory scrutiny. More recently, persistent issues like group chat infiltration, first flagged in 2017, remain exploitable if servers are compromised.
Notable Vulnerabilities from the Past
The 2019 Spyware Attack via Voice Calls
One of the most infamous incidents occurred in May 2019 when a buffer overflow vulnerability allowed attackers to install spyware, such as Pegasus from NSO Group, through an unanswered voice call. This zero-day exploit targeted journalists, activists, and officials, affecting at least 1,400 users. WhatsApp sued NSO Group in 2020, alleging misuse of the flaw. The vulnerability was patched quickly, but it underscored the risks of advanced persistent threats.
2022 Remote Code Execution Flaws
In 2022, WhatsApp patched two critical vulnerabilities enabling remote code execution (RCE). One involved an integer overflow during video calls, allowing attackers to execute arbitrary code on the victim’s device. Another affected video file processing, where specially crafted files could lead to similar exploits. These were frequent attack vectors, prompting advisories from CERT-EU and tools like Qualys for detection. Users were urged to update immediately to mitigate risks.
Persistent Group Chat Vulnerability (2017–Ongoing)
First identified in 2017, this flaw allows compromised WhatsApp servers to add unauthorized users to group chats without admin approval, exposing past and future messages. Despite patches, researchers in 2025 confirmed it still exists, potentially enabling surveillance if servers are hacked. This highlights limitations in end-to-end encryption when server integrity is at stake.
Recent Vulnerabilities in 2025
As of September 2025, WhatsApp has addressed several new critical issues, reflecting ongoing threats in a connected world.
CVE-2025-55177: Zero-Click Exploit in iOS and macOS
This vulnerability involves incomplete authorization of linked device synchronization messages in WhatsApp for iOS (prior to v2.25.21.73) and WhatsApp Business for iOS. It enabled zero-click attacks, often combined with Apple flaws, allowing remote compromise without user interaction. Added to CISA’s Known Exploited Vulnerabilities catalog in September 2025 due to active exploitation, it affects iOS and macOS users. WhatsApp patched it, but it serves as a reminder of supply chain risks.
Windows RCE via Malicious Files
In April 2025, a flaw in WhatsApp for Windows allowed RCE through specially crafted files. Attackers could exploit this by sending malicious attachments, potentially taking control of the device. Meta recommended immediate updates to close this gap.
Android App Security Audit Findings
A 2025 audit by Appknox on WhatsApp’s Android app (v2.25.9.78) uncovered five vulnerabilities:
• Network Security Misconfiguration: Enables MITM attacks on unsecured networks, exposing metadata.
• Hardcoded Secrets: Sensitive keys in the APK could be extracted for unauthorized access.
• Content Provider File Traversal: Allows other apps to access restricted files on the same device.
• Derived Crypto Keys: Weak key generation could lead to data decryption.
• Insufficient TLS Enforcement: Flawed certificate validation risks connection spoofing.
These could impact billions, though end-to-end encryption protects message content.
Conclusion: Staying Safe in a Vulnerable World
WhatsApp’s vulnerabilities, from historical hijacks to modern zero-days, illustrate that no app is foolproof. However, Meta’s proactive patching—often within days—mitigates many risks. Users should enable auto-updates, use two-factor authentication, avoid suspicious links, and report issues. While end-to-end encryption safeguards messages, metadata and device security remain weak points. As threats evolve, vigilance is key. For the latest advisories, check WhatsApp’s official security page. Stay informed, stay secure!