Meta-owned WhatsApp advised SecurityWeek {that a} latest FreeType vulnerability, flagged as probably exploited on the time of disclosure, has been linked to an exploit of Israeli surveillance options supplier Paragon.
In mid-March, Meta revealed an advisory on the Fb safety advisories web page to tell customers about CVE-2025-27363, an out-of-bounds vulnerability within the FreeType open supply library that would result in arbitrary code execution. The advisory stated the vulnerability could have been exploited within the wild.
In early Might, the flaw was patched in Android and added by the cybersecurity company CISA to its Identified Exploited Vulnerabilities (KEV) catalog.
Nevertheless, there was no public data on the assaults exploiting CVE-2025-27363.
SecurityWeek discovered from WhatsApp this week that the CVE identifier CVE-2025-27363 was requested by its researchers after the flaw was linked to a Paragon exploit.
The College of Toronto’s Citizen Lab analysis group reported in March {that a} WhatsApp zero-day vulnerability had been exploited in Paragon spy ware assaults. WhatsApp representatives on the time advised SecurityWeek that the zero-day assaults concerned using teams and sending PDF recordsdata, and that the weak spot had been patched on the server aspect, with out the necessity for a client-side repair.
WhatsApp has now revealed that CVE-2025-27363 was found throughout an investigation into different potential channels — exterior of WhatsApp — that menace actors resembling spy ware companies could also be utilizing to ship malware.
WhatsApp stated it shared its findings with others to assist improve defenses throughout the trade.Commercial. Scroll to proceed studying.
FreeType is a improvement library designed for rendering textual content onto bitmaps, and gives help for different font-related operations. Within the case of CVE-2025-27363, which impacts FreeType 2.13.0 and earlier, Meta stated the difficulty is triggered when “making an attempt to parse font subglyph constructions associated to TrueType GX and variable font recordsdata”.
“The susceptible code assigns a signed quick worth to an unsigned lengthy after which provides a static worth inflicting it to wrap round and allocate too small of a heap buffer. The code then writes as much as 6 signed lengthy integers out of bounds relative to this buffer,” Meta defined in its advisory. “This may increasingly end in arbitrary code execution.”
Citizen Lab has discovered proof that Paragon’s Graphite spy ware has been utilized in nations resembling Australia, Canada, Denmark, Italy, Cyprus, Singapore, and Israel.
Paragon is understood for creating refined exploits that don’t require any interplay from the focused consumer. Citizen Lab discovered indications that the corporate was till just lately capable of hack up-to-date iPhones. Apple has since patched the exploited vulnerability.
Associated: Google Ships Android ‘Superior Safety’ Mode to Thwart Surveillance Spy ware
Associated: Spy ware Maker NSO Ordered to Pay $167 Million Over WhatsApp Hack
Associated: Android Zero-Day Exploited in Spy ware Campaigns, Amnesty Worldwide Factors to Cellebrite
