Published: 14/05/2019 Updated: 13/08/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 670
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number. Affected Versions: The issue affects WhatsApp for Android before v2.19.134, WhatsApp Business for Android before v2.19.44, WhatsApp for iOS before v2.19.51, WhatsApp Business for iOS before v2.19.51, WhatsApp for Windows Phone before v2.18.348, and WhatsApp for Tizen before v2.18.15.

Vulnerability Trend

Affected Products

Vendor Product Versions
WhatsappWhatsapp2.2.5, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.9, 2.6.10, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.6, 2.8.7, 2.10.1, 2.10.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6, 2.11.7, 2.11.8, 2.11.9, 2.11.11, 2.11.12, 2.11.14, 2.11.15, 2.11.16, 2.12.1, 2.12.2, 2.12.3, 2.12.4, 2.12.6, 2.12.7, 2.12.8, 2.12.9, 2.12.10, 2.12.11, 2.12.12, 2.12.13, 2.12.14, 2.12.15, 2.12.16, 2.12.17, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 2.16.6, 2.16.7, 2.16.8, 2.16.9, 2.16.10, 2.16.11, 2.16.12, 2.16.13, 2.16.14, 2.16.15, 2.16.16, 2.16.17, 2.16.18, 2.16.19, 2.16.20, 2.17.1, 2.17.2, 2.17.3, 2.17.4, 2.17.5, 2.17.7, 2.18.93

Github Repositories


Kenna API CLI utility with the ability to import single and multiple records

Recent Articles

A Brisk Private Trade in Zero-Days Widens Their Use
Threatpost • Tara Seals • 06 Apr 2020

There were more zero-days exploited in 2019 than any of the previous three years, according to telemetry from FireEye Mandiant. The firm said that’s likely due to more zero-days coming up for sale by cyber-weapons dealers like NSO Group; a growing commercial market has made such tools much more widely available.
While the identification and exploitation of zero-day vulnerabilities has historically been a calling card for only the most sophisticated cybercriminals, a wider range of threat...

WhatsApp slaps app hacker chaps on the rack for booby-trapped chat: NSO Group accused of illegal hacking by Facebook
The Register • Thomas Claburn in San Francisco • 29 Oct 2019

1,400 folks, including human-rights bods, unlawfully spied on it is claimed

Updated Facebook and its WhatsApp subsidiary on Tuesday sued NSO Group alleging the Israel-based spyware maker unlawfully hacked smartphones using a vulnerability in the popular chat app.
The complaint [PDF], filed in a US district court in San Francisco, blames NSO for a cyberattack on WhatsApp users that was publicly disclosed in May and thwarted with a software update.
NSO Group makes a form of snoop-ware called Pegasus. The biz maintains that it sells the software – which silen...

BRATA Android RAT Steals Banking Info in Real Time
Threatpost • Tara Seals • 04 Sep 2019

A powerful Android remote access tool (RAT) family dubbed BRATA is proliferating, with at least 20 different variants cropping up since it was first spotted in January. The majority of the binaries have been found in the official Google Play store, masquerading as updates for the instant messaging application WhatsApp.
Notably, BRATA collects and relays information — especially banking information — in real time to its operators, according to research from Kaspersky.
“The abili...

Fully equipped Spying Android RAT from Brazil: BRATA
Securelist • GReAT • 29 Aug 2019

“BRATA” is a new Android remote access tool malware family. We used this code name based on its description – “Brazilian RAT Android”. It exclusively targets victims in Brazil: however, theoretically it could also be used to attack any other Android user if the cybercriminals behind it want to. It has been widespread since January 2019, primarily hosted in the Google Play store, but also found in alternative unofficial Android app stores. For the malware to function correctly, it requi...

BRATA Android RAT Used to Infect and Spy on Brazilian Users
BleepingComputer • Sergiu Gatlan • 29 Aug 2019

A new malicious Android remote access tool (RAT) dubbed BRATA was observed by Kaspersky researchers while spreading via WhatsApp and SMS messages to infect and spy on Brazilian users.
The new RAT was named based on its "Brazilian RAT Android" description by the Kaspersky Global Research & Analysis Team (GReAT) researchers who spotted it in the wild in January.
Until now, the researchers have discovered more than 20 unique BRATA variants in Android apps delivered via the G...

WhatsApp Zero-Day Exploited in Targeted Spyware Attacks
Threatpost • Lindsey O'Donnell • 14 May 2019

WhatsApp is urging users to update as soon as possible, after a zero-day vulnerability found in its messaging platform was exploited by attackers who were able to inject spyware onto victims’ phones in targeted campaigns.
First reported by the Financial Times, the popular messaging app discovered in early May that attackers were installing surveillance software on iPhones and Android phones – by calling victims using WhatsApp’s call function. WhatsApp is owned by Faceboo...

It's 2019 and a WhatsApp call can hack a phone: Zero-day exploit infects mobes with spyware
The Register • Iain Thomson in San Francisco • 14 May 2019

Rap for surveillanceware chaps in chat app voice yap trap flap – now everyone patch

A security flaw in WhatsApp can be, and has been, exploited to inject spyware into victims' smartphones: all a snoop needs to do is make a booby-trapped voice call to a target's number, and they're in. The victim doesn't need to do a thing other than leave their phone on.
The Facebook-owned software suffers from a classic buffer overflow weakness. This means a successful hacker can hijack the application to run malicious code that pores over encrypted chats, eavesdrops on calls, turns on t...