Meta-owned WhatsApp told SecurityWeek that a recent FreeType vulnerability, flagged as potentially exploited at the time of disclosure, has been linked to an exploit of Israeli surveillance solutions provider Paragon.
In mid-March, Meta published an advisory on the Facebook security advisories page to inform users about CVE-2025-27363, an out-of-bounds vulnerability in the FreeType open source library that could lead to arbitrary code execution. The advisory said the vulnerability may have been exploited in the wild.
In early May, the flaw was patched in Android and added by the cybersecurity agency CISA to its Known Exploited Vulnerabilities (KEV) catalog.
However, there has been no public information on the attacks exploiting CVE-2025-27363.
SecurityWeek learned from WhatsApp this week that the CVE identifier CVE-2025-27363 was requested by its researchers after the flaw was linked to a Paragon exploit.
The University of Toronto’s Citizen Lab research group reported in March that a WhatsApp zero-day vulnerability had been exploited in Paragon spyware attacks. WhatsApp representatives at the time told SecurityWeek that the zero-day attacks involved the use of groups and sending PDF files, and that the weakness had been patched on the server side, without the need for a client-side fix.
WhatsApp has now revealed that CVE-2025-27363 was discovered during an investigation into other potential channels — outside of WhatsApp — that threat actors such as spyware firms may be using to deliver malware.
WhatsApp said it shared its findings with others to help enhance defenses across the industry.
FreeType is a development library designed for rendering text onto bitmaps, and provides support for other font-related operations. In the case of CVE-2025-27363, which impacts FreeType 2.13.0 and earlier, Meta said the issue is triggered when “attempting to parse font subglyph structures related to TrueType GX and variable font files”.
“The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer,” Meta explained in its advisory. “This may result in arbitrary code execution.”
Citizen Lab has found evidence that Paragon’s Graphite spyware has been used in countries such as Australia, Canada, Denmark, Italy, Cyprus, Singapore, and Israel.
Paragon is known for developing sophisticated exploits that do not require any interaction from the targeted user. Citizen Lab found indications that the company was until recently able to hack up-to-date iPhones. Apple has since patched the exploited vulnerability.
Related: Google Ships Android ‘Advanced Protection’ Mode to Thwart Surveillance Spyware
Related: Spyware Maker NSO Ordered to Pay $167 Million Over WhatsApp Hack
Related: Android Zero-Day Exploited in Spyware Campaigns, Amnesty International Points to Cellebrite
