CVE-2019-3568
published 2019-05-14CVE-2019-3568: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-05-10
Exploited in the wild
EPSS
39.17%
98.4th percentile
A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| whatsapp_business_for_android | — | — | |
| whatsapp_business_for_android | >= unspecified < 2.19.134 | 2.19.134 | |
| whatsapp_business_for_ios | — | — | |
| whatsapp_business_for_ios | >= unspecified < 2.19.51 | 2.19.51 | |
| whatsapp_for_android | — | — | |
| whatsapp_for_android | >= unspecified < 2.19.134 | 2.19.134 | |
| whatsapp_for_ios | — | — | |
| whatsapp_for_ios | >= unspecified < 2.19.51 | 2.19.51 | |
| whatsapp_for_tizen | — | — | |
| whatsapp_for_tizen | >= unspecified < 2.18.15 | 2.18.15 | |
| whatsapp_for_windows_phone | — | — | |
| whatsapp_for_windows_phone | >= unspecified < 2.18.348 | 2.18.348 | |
| < 2.18.15 | 2.18.15 | ||
| < 2.18.348 | 2.18.348 | ||
| < 2.19.51 | 2.19.51 | ||
| < 2.19.134 | 2.19.134 | ||
| whatsapp_business | < 2.19.44 | 2.19.44 | |
| whatsapp_business | < 2.19.51 | 2.19.51 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via specially crafted RTCP/SRTCP packets sent to the target's phone number over VoIP — exploitation occurs even if the call is not answered. Monitor for anomalous RTCP traffic directed at WhatsApp VoIP endpoints. ↗
- →The overflow occurs in the SRTCP/RTCP packet handler before the call is answered. Packets exceeding 1480 bytes (0x5C8) in the length field of the RTCP handler are the trigger condition — network-level detection should flag oversized RTCP packets targeting WhatsApp VoIP. ↗
- →The patched function is a major RTCP handler called before the WhatsApp voice call is answered — detection should focus on the pre-answer call-setup phase of WhatsApp VoIP sessions. ↗
- →Fake WhatsApp update APKs posing as a CVE-2019-3568 patch were the primary BRATA distribution vector — flag sideloaded APKs claiming to be WhatsApp updates from non-official sources. ↗
- →When recipients received WhatsApp VoIP calls exploiting CVE-2019-3568, even unanswered calls resulted in Pegasus spyware installation — alert on WhatsApp process spawning unexpected child processes or network connections post-call-receipt. ↗
- ·NSO Group used at least one additional zero-day in WhatsApp beyond CVE-2019-3568 — patching this CVE alone does not fully remediate NSO's attack surface against WhatsApp. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cmw5-mmg8-r4fr: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target ph
ghsa_unreviewed·2022-05-24
CVE-2019-3568 [CRITICAL] CWE-119 GHSA-cmw5-mmg8-r4fr: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target ph
A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number. The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.
VulnCheck
WhatsApp VOIP Stack Buffer Overflow Vulnerability
vulncheck·2019·CVSS 9.8
CVE-2019-3568 [CRITICAL] CWE-122 WhatsApp VOIP Stack Buffer Overflow Vulnerability
WhatsApp VOIP Stack Buffer Overflow Vulnerability
A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number.
Affected: Meta Platforms WhatsApp
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://storage.googleapis.com/gweb-uniblog-publish-prod/documents/Buying_Spying_-_Insights_into_Commercial_Surveillance_Vendors.pdf; https://www.cert.ssi.gouv.fr/uploads/CERTFR-2025-CTI-013.pdf
Remediation Due: 2022-05-10
CISA
WhatsApp VOIP Stack Buffer Overflow Vulnerability
cisa·2022-04-19·CVSS 9.8
CVE-2019-3568 [CRITICAL] CWE-122 WhatsApp VOIP Stack Buffer Overflow Vulnerability
Vulnerability: WhatsApp VOIP Stack Buffer Overflow Vulnerability
Affected: Meta Platforms WhatsApp
A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of RTCP packets sent to a target phone number.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-3568
Remediation Due Date: 2022-05-10
Suricata
ET EXPLOIT Possible Linksys WRT100/110 RCE Attempt (CVE-2013-3568)
suricata·2019-03-19·CVSS 8.8
CVE-2013-3568 [HIGH] ET EXPLOIT Possible Linksys WRT100/110 RCE Attempt (CVE-2013-3568)
ET EXPLOIT Possible Linksys WRT100/110 RCE Attempt (CVE-2013-3568)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible Linksys WRT100/110 RCE Attempt (CVE-2013-3568)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/ping.cgi"; startswith; endswith; http.request_body; content:"pingstr="; startswith; fast_pattern; content:"|3b|"; within:25; reference:cve,2013-3568; reference:url,www.exploit-db.com/exploits/28484; classtype:attempted-user; sid:2027097; rev:6; metadata:attack_target IoT, created_at 2019_03_19, cve CVE_2013_3568, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, updated_at 2024_04_13;)
No public exploits indexed.
Bleepingcomputer
NSO Group fined $167M for spyware attacks on 1,400 WhatsApp users
blogs_bleepingcomputer·2025-05-07·CVSS 9.8
[CRITICAL] NSO Group fined $167M for spyware attacks on 1,400 WhatsApp users
## NSO Group fined $167M for spyware attacks on 1,400 WhatsApp users
## Bill Toulas
A U.S. federal jury has ordered Israeli spyware vendor NSO Group to pay WhatsApp $167,254,000 in punitive damages and $444,719 in compensatory damages for a 2019 campaign that targeted 1,400 users of the communication app.
The verdict is considered a landmark case for being the first time a spyware vendor is held accountable in court, and could send ripples across the commercial spyware industry.
"Today's verdict in WhatsApp's case is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone," commented Meta, WhatsApp's owner, in an announcement .
"Today, the jury's decision to force NSO,
Securelist
Fully equipped Spying Android RAT from Brazil: BRATA
blogs_securelist·2019-08-29·CVSS 9.8
[CRITICAL] Fully equipped Spying Android RAT from Brazil: BRATA
Authors
GReAT
“BRATA” is a new Android remote access tool malware family. We used this code name based on its description – “Brazilian RAT Android”. It exclusively targets victims in Brazil: however, theoretically it could also be used to attack any other Android user if the cybercriminals behind it want to. It has been widespread since January 2019, primarily hosted in the Google Play store, but also found in alternative unofficial Android app stores. For the malware to function correctly, it requires at least Android Lollipop 5.0 version.
The cybercriminals behind BRATA use few infection vectors. For example, they use push notifications on compromised websites; and also spread it using messages delivered via WhatsApp or SMS, and sponsored links in Google searches.
The first samples w
Securelist
Fully equipped Spying Android RAT from Brazil: BRATA
blogs_securelist·2019-08-29·CVSS 9.8
[CRITICAL] Fully equipped Spying Android RAT from Brazil: BRATA
Authors
- GReAT
“BRATA” is a new Android remote access tool malware family. We used this code name based on its description – “Brazilian RAT Android”. It exclusively targets victims in Brazil: however, theoretically it could also be used to attack any other Android user if the cybercriminals behind it want to. It has been widespread since January 2019, primarily hosted in the Google Play store, but also found in alternative unofficial Android app stores. For the malware to function correctly, it requires at least Android Lollipop 5.0 version.
The cybercriminals behind BRATA use few infection vectors. For example, they use push notifications on compromised websites; and also spread it using messages delivered via WhatsApp or SMS, and sponsored links in Google searches.
The first samples
Checkpoint
The NSO WhatsApp Vulnerability – This is How It Happened
blogs_checkpoint·2019-05-14·CVSS 9.8
CVE-2019-3568 [CRITICAL] The NSO WhatsApp Vulnerability – This is How It Happened
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## The NSO WhatsApp Vulnerability – This is How It Happened
Earlier today the Financial Times published that there is a critical vulnerability in the popular WhatsApp messaging application an
2019-05-14
Published
2022-04-19
Added to CISA KEV
Exploited in the wild