Cybersecurity researchers are urging billions of WhatsApp users worldwide to update the messaging app immediately after two newly disclosed vulnerabilities were found to potentially expose devices to malicious files and dangerous content.
The flaws, identified in recent security advisories published by WhatsApp parent company Meta, affect the way the platform handles media attachments and file previews across Android, iOS, and Windows devices. Security researchers say attackers could potentially exploit the vulnerabilities to disguise harmful files as legitimate documents or redirect users to malicious content.
According to reporting from Malwarebytes, one of the vulnerabilities could allow specially crafted attachments to appear harmless while secretly executing malicious code when opened on affected Windows devices. Another issue impacts the handling of rich media previews and external URLs on mobile devices.
Although there is currently no evidence that either vulnerability has been actively exploited in the wild, cybersecurity experts warn that flaws of this nature can significantly increase the risk of phishing attacks, malware delivery, and social engineering scams.
Phishing attacks are some of the most common cyber attacks around, typically involving cybercriminals impersonating trusted organisations, colleagues, banks, or well-known brands in order to trick victims into revealing passwords, financial details, or sensitive personal information. These scams often arrive through emails, text messages, social media platforms, or messaging apps such as WhatsApp. Attackers may send fake invoices, account alerts, delivery notifications, or urgent security warnings designed to pressure users into clicking malicious links or downloading infected files.
Cybersecurity experts are also warning users about the growing rise of “vishing,” or voice phishing. Unlike traditional phishing scams, vishing uses phone calls, voice notes, or AI-generated audio to manipulate victims into sharing confidential information or granting access to accounts.
Fraudsters may pretend to be representatives from banks, technology companies, or even government agencies in an attempt to create panic and pressure victims into acting quickly. With the rise of artificial intelligence and voice cloning technology, these scams are becoming increasingly sophisticated and harder to detect.
The vulnerabilities, tracked as CVE-2026-23863 and CVE-2026-23866, were reportedly discovered through Meta’s bug bounty programme and have now been patched in the latest versions of WhatsApp.
Cybersecurity specialists are advising users to install updates immediately via the Apple App Store, Google Play Store, or official WhatsApp desktop channels. Large companies that rely on whatsapp can also use a phishing simulation service so their team can learn to react to a cyber attack. Users are also being reminded to avoid opening unexpected attachments, clicking suspicious links, or downloading files from unknown contacts.
Experts further recommend enabling two-factor authentication, verifying unusual requests independently, and remaining cautious of messages that create urgency or request sensitive information unexpectedly.
The warning follows a series of recent security concerns surrounding WhatsApp, including phishing campaigns, malicious group chat files, and account takeover scams targeting users through fake verification requests and linked-device attacks.
Experts say maintaining updated software remains one of the most effective ways for users to protect themselves against emerging cyber threats.
Article written by Daniel Tannenbaum
