Zoom has issued urgent security updates to fix a critical vulnerability in multiple Windows versions of its conferencing software that could allow attackers to escalate privileges remotely.
Tracked as CVE-2025-49457, the flaw scores 9.6 out of 10 on the CVSS severity scale, making it one of the most serious issues the company has addressed this year.
According to Zoom’s advisory, the bug stems from an untrusted search path in its Windows clients. This type of flaw can occur when software loads executable files or libraries without verifying their origin, allowing an attacker to trick the application into running malicious code from an unintended location. In this case, the vulnerability could be exploited by an unauthenticated attacker over the network, a combination that significantly increases its danger. Successful exploitation would grant the attacker high-level privileges, enabling them to compromise confidentiality, integrity, and availability of the affected system.
The problem affects a broad range of Zoom’s Windows-based products, including Zoom Workplace, Zoom Rooms, Zoom Rooms Controller, and the Zoom Meeting SDK, all prior to version 6.3.10. Certain Virtual Desktop Infrastructure (VDI) builds, specifically versions 6.1.16 and 6.2.12, are not affected. Zoom reports that its internal Offensive Security team discovered the flaw, indicating it was likely caught through proactive security testing rather than public exploitation.
Zoom, headquartered in San Jose, California, operates one of the most widely used video conferencing platforms globally, serving hundreds of millions of users across business, education, and government sectors. Because its software often runs in sensitive environments, flaws enabling remote code execution or privilege escalation are particularly concerning. If left unpatched, this vulnerability could provide a foothold for attackers to move laterally inside corporate networks.
The company also addressed a medium-severity bug, CVE-2025-49456, on the same day. This second flaw involves a race condition in the Zoom installer for Windows. While it requires local access and does not impact confidentiality, it could allow an unauthenticated user to alter application files, potentially injecting malicious components during installation. This issue, discovered by security researcher “sim0nsecurity,” affects slightly different version ranges and requires separate patching.
Leave a Reply