SecurityWeek reported this week that WhatsApp, owned by Meta, confirmed its researchers had requested the CVE identifier CVE-2025-27363 after linking the flaw to an exploit used by Paragon, an Israeli surveillance solutions provider. The vulnerability, CVE-2025-27363, is an out-of-bounds write in the FreeType open-source library, which could allow for arbitrary code execution. This flaw was initially highlighted in a Meta advisory in mid-March 2025, warning that it may have been exploited in the wild.
WhatsApp requested the CVE-2025-27363 identifier after linking the exploited FreeType vulnerability to a Paragon spyware attack because, during their investigation, they discovered that the flaw was not just relevant to WhatsApp, but could be abused in other channels outside of their platform by threat actors like commercial spyware vendors. Initially, WhatsApp had patched the vulnerability server-side without a client-side update and did not assign a CVE, following MITRE guidelines and their internal policies. However, once they established that the vulnerability was part of a broader exploit chain used by Paragon—posing a risk beyond WhatsApp itself. WhatsApp shared its findings to enhance industry-wide defenses, underscoring the importance of coordinated vulnerability disclosure when a flaw is weaponized by advanced threat actors.
Connection to Paragon Spyware Attacks
The University of Toronto’s Citizen Lab had earlier reported that a WhatsApp zero-day vulnerability was exploited in Paragon spyware attacks, specifically using the Graphite spyware. The attack method involved adding targets to WhatsApp groups and sending them PDF files; the vulnerability allowed the spyware to be installed without any user interaction (a “zero-click” exploit). WhatsApp addressed this attack vector late in 2024 with a server-side fix, meaning users did not need to update their apps, and initially, no CVE was assigned.
Assignment of CVE-2025-27363
SecurityWeek learned from WhatsApp that the CVE-2025-27363 identifier was specifically requested by WhatsApp researchers after the vulnerability was definitively linked to the Paragon exploit. This is notable because, at first, WhatsApp had not assigned a CVE to the zero-day, as the fix did not require user action and was handled internally. The vulnerability was later patched in Android and added to CISA’s Known Exploited Vulnerabilities catalog.
Impact and Targeting
The Paragon spyware campaign targeted at least 90 individuals, including journalists, activists, and members of civil society across more than two dozen countries. The attacks leveraged the FreeType vulnerability to compromise devices and install spyware, with the exploit chain beginning with a malicious PDF file sent via WhatsApp group chats.
