MidnightBSD

Advisories for zoom

CVE-2004-0680 HIGH

Zoom X3 ADSL modem has a terminal running on port 254 that can be accessed using the default HTML management password, even if the password has been changed for the HTTP interface, which could allow remote attackers to gain unauthorized access.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zoom model_5560_x3_ethernet_adsl_modem *
CVE-2014-5811 MEDIUM

The ZOOM Cloud Meetings (aka us.zoom.videomeetings) application @7F060008 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-310,

Products Affected

Vendor Product Version
zoom zoom_cloud_meetings @7f060008
CVE-2017-15048 MEDIUM

Stack-based buffer overflow in the ZoomLauncher binary in the Zoom client for Linux before 2.0.115900.1201 allows remote attackers to execute arbitrary code by leveraging the zoommtg:// scheme handler.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
zoom zoom *
CVE-2017-15049 HIGH

The ZoomLauncher binary in the Zoom client for Linux before 2.0.115900.1201 does not properly sanitize user input when constructing a shell command, which allows remote attackers to execute arbitrary code by leveraging the zoommtg:// scheme handler.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-78,

Products Affected

Vendor Product Version
zoom zoom *
CVE-2018-15715 HIGH

Zoom clients on Windows (before version 4.1.34814.1119), Mac OS (before version 4.1.34801.1116), and Linux (2.4.129780.0915 and below) are vulnerable to unauthorized message processing. A remote unauthenticated attacker can spoof UDP messages from a meeting attendee or Zoom server in order to invoke functionality in the target client. This allows the attacker to remove attendees from meetings, spoof messages from users, or hijack shared screens.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-290,CWE-20,

Products Affected

Vendor Product Version
zoom zoom *
CVE-2019-13449 MEDIUM

In the Zoom Client before 4.4.2 on macOS, remote attackers can cause a denial of service (continual focus grabs) via a sequence of invalid launch?action=join&confno= requests to localhost port 19421.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
zoom zoom *
CVE-2019-13450 MEDIUM

In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled. Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the web server, deleting the ~/.zoomus directory, and creating a ~/.zoomus plain file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-862,

Products Affected

Vendor Product Version
zoom zoom *
ringcentral ringcentral 7.0.136380.0312
CVE-2019-13567 MEDIUM

The Zoom Client before 4.4.53932.0709 on macOS allows remote code execution, a different vulnerability than CVE-2019-13450. If the ZoomOpener daemon (aka the hidden web server) is running, but the Zoom Client is not installed or can't be opened, an attacker can remotely execute code with a maliciously crafted launch URL. NOTE: ZoomOpener is removed by the Apple Malware Removal Tool (MRT) if this tool is enabled and has the 2019-07-10 MRTConfigData.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-78,

Products Affected

Vendor Product Version
zoom zoom *
CVE-2020-11443 HIGH

The Zoom IT installer for Windows (ZoomInstallerFull.msi) prior to version 4.6.10 deletes files located in %APPDATA%\Zoom before installing an updated version of the client. Standard users are able to write to this directory, and can write links to other directories on the machine. As the installer runs with SYSTEM privileges and follows these links, a user can cause the installer to delete files that otherwise cannot be deleted by the user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H 2.8 5.2

CVSS 2.0

Severity: HIGH

Problem Type: CWE-59,CWE-732,

Products Affected

Vendor Product Version
zoom it_installer *
CVE-2020-11469 HIGH

Zoom Client for Meetings through 4.6.8 on macOS copies runwithroot to a user-writable temporary directory during installation, which allows a local process (with the user's privileges) to obtain root access by replacing runwithroot.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-552,

Products Affected

Vendor Product Version
zoom meetings *
CVE-2020-11470 LOW

Zoom Client for Meetings through 4.6.8 on macOS has the disable-library-validation entitlement, which allows a local process (with the user's privileges) to obtain unprompted microphone and camera access by loading a crafted library and thereby inheriting Zoom Client's microphone and camera access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-345,

Products Affected

Vendor Product Version
zoom meetings *
CVE-2020-11500 MEDIUM

Zoom Client for Meetings through 4.6.9 uses the ECB mode of AES for video and audio encryption. Within a meeting, all participants use a single 128-bit key.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,

Products Affected

Vendor Product Version
zoom meetings *
CVE-2020-11876 MEDIUM

airhost.exe in Zoom Client for Meetings 4.6.11 uses the SHA-256 hash of 0123425234234fsdfsdr3242 for initialization of an OpenSSL EVP AES-256 CBC context. NOTE: the vendor states that this initialization only occurs within unreachable code

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-327,CWE-327,

Products Affected

Vendor Product Version
zoom meetings 4.6.11
CVE-2020-11877 MEDIUM

airhost.exe in Zoom Client for Meetings 4.6.11 uses 3423423432325249 as the Initialization Vector (IV) for AES-256 CBC encryption. NOTE: the vendor states that this IV is used only within unreachable code

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-330,CWE-330,

Products Affected

Vendor Product Version
zoom meetings 4.6.11
CVE-2020-6109 HIGH

An exploitable path traversal vulnerability exists in the Zoom client, version 4.6.10 processes messages including animated GIFs. A specially crafted chat message can cause an arbitrary file write, which could potentially be abused to achieve arbitrary code execution. An attacker needs to send a specially crafted message to a target user or a group to exploit this vulnerability.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,CWE-22,

Products Affected

Vendor Product Version
zoom zoom 4.6.10
CVE-2020-6110 MEDIUM

An exploitable partial path traversal vulnerability exists in the way Zoom Client version 4.6.10 processes messages including shared code snippets. A specially crafted chat message can cause an arbitrary binary planting which could be abused to achieve arbitrary code execution. An attacker needs to send a specially crafted message to a target user or a group to trigger this vulnerability. For the most severe effect, target user interaction is required.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,CWE-22,

Products Affected

Vendor Product Version
zoom zoom 4.6.10
CVE-2020-9767 HIGH

A vulnerability related to Dynamic-link Library (“DLL”) loading in the Zoom Sharing Service would allow an attacker who had local access to a machine on which the service was running with elevated privileges to elevate their system privileges as well through use of a malicious DLL. Zoom addressed this issue, which only applies to Windows users, in the 5.0.4 client release.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-427,

Products Affected

Vendor Product Version
zoom sharing_service 5.0.4
CVE-2021-28133 MEDIUM

Zoom through 5.5.4 sometimes allows attackers to read private information on a participant's screen, even though the participant never attempted to share the private part of their screen. When a user shares a specific application window via the Share Screen functionality, other meeting participants can briefly see contents of other application windows that were explicitly not shared. The contents of these other windows can (for instance) be seen for a short period of time when they overlay the shared window and get into focus. (An attacker can, of course, use a separate screen-recorder application, unsupported by Zoom, to save all such contents for later replays and analysis.) Depending on the unintentionally shared data, this short exposure of screen contents may be a more or less severe security issue.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-200,

Products Affected

Vendor Product Version
zoom zoom *
CVE-2021-30480 HIGH

Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat software, which is different from the chat feature of the Zoom Meetings and Zoom Video Webinars software.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cve@mitre.org 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zoom chat *
CVE-2021-33907 HIGH

The Zoom Client for Meetings for Windows in all versions before 5.3.0 fails to properly validate the certificate information used to sign .msi files when performing an update of the client. This could lead to remote code execution in an elevated privileged context.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-295,

Products Affected

Vendor Product Version
zoom meetings *
CVE-2021-34408 MEDIUM

The Zoom Client for Meetings for Windows in all versions before version 5.3.2 writes log files to a user writable directory as a privileged user during the installation or update of the client. This could allow for potential privilege escalation if a link was created between the user writable directory used and a non-user writable directory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-59,

Products Affected

Vendor Product Version
zoom meetings *
CVE-2021-34409 HIGH

It was discovered that the installation packages of the Zoom Client for Meetings for MacOS (Standard and for IT Admin) installation before version 5.2.0, Zoom Client Plugin for Sharing iPhone/iPad before version 5.2.0, and Zoom Rooms for Conference before version 5.1.0, copy pre- and post- installation shell scripts to a user-writable directory. In the affected products listed below, a malicious actor with local access to a user's machine could use this flaw to potentially run arbitrary system commands in a higher privileged context during the installation process.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.1 6.0
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-732,

Products Affected

Vendor Product Version
zoom screen_sharing *
zoom meetings *
zoom rooms *
CVE-2021-34410 HIGH

A user-writable application bundle unpacked during the install for all versions of the Zoom Plugin for Microsoft Outlook for Mac before 5.0.25611.0521 allows for privilege escalation to root.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-732,

Products Affected

Vendor Product Version
zoom zoom_plugin_for_microsoft_outlook *
CVE-2021-34411 MEDIUM

During the installation process forZoom Rooms for Conference Room for Windows before version 5.3.0 it is possible to launch Internet Explorer with elevated privileges. If the installer was launched with elevated privileges such as by SCCM this can result in a local privilege escalation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,

Products Affected

Vendor Product Version
zoom rooms *
CVE-2021-34412 MEDIUM

During the installation process for all versions of the Zoom Client for Meetings for Windows before 5.4.0, it is possible to launch Internet Explorer. If the installer was launched with elevated privileges such as by SCCM this can result in a local privilege escalation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-269,

Products Affected

Vendor Product Version
zoom meetings *
CVE-2021-34413 MEDIUM

All versions of the Zoom Plugin for Microsoft Outlook for MacOS before 5.3.52553.0918 contain a Time-of-check Time-of-use (TOC/TOU) vulnerability during the plugin installation process. This could allow a standard user to write their own malicious application to the plugin directory, allowing the malicious application to execute in a privileged context.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-367,

Products Affected

Vendor Product Version
zoom zoom_plugin_for_microsoft_outlook *
CVE-2021-34414 MEDIUM

The network proxy page on the web portal for the Zoom on-premise Meeting Connector Controller before version 4.6.348.20201217, Zoom on-premise Meeting Connector MMR before version 4.6.348.20201217, Zoom on-premise Recording Connector before version 3.8.42.20200905, Zoom on-premise Virtual Room Connector before version 4.4.6620.20201110, and Zoom on-premise Virtual Room Connector Load Balancer before version 2.5.5495.20210326 fails to validate input sent in requests to update the network proxy configuration, which could lead to remote command injection on the on-premise image by a web portal administrator.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-20,

Products Affected

Vendor Product Version
zoom virtual_room_connector_load_balancer *
zoom recording_connector *
zoom meeting_connector *
zoom virtual_room_connector *
CVE-2021-34415 HIGH

The Zone Controller service in the Zoom On-Premise Meeting Connector Controller before version 4.6.358.20210205 does not verify the cnt field sent in incoming network packets, which leads to exhaustion of resources and system crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-770,

Products Affected

Vendor Product Version
zoom meeting_connector *
CVE-2021-34416 HIGH

The network address administrative settings web portal for the Zoom on-premise Meeting Connector before version 4.6.360.20210325, Zoom on-premise Meeting Connector MMR before version 4.6.360.20210325, Zoom on-premise Recording Connector before version 3.8.44.20210326, Zoom on-premise Virtual Room Connector before version 4.4.6752.20210326, and Zoom on-premise Virtual Room Connector Load Balancer before version 2.5.5495.20210326 fails to validate input sent in requests to update the network configuration, which could lead to remote command injection on the on-premise image by the web portal administrators.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
zoom virtual_room_connector_load_balancer *
zoom recording_connector *
zoom meeting_connector *
zoom virtual_room_connector *
CVE-2021-34417 HIGH

The network proxy page on the web portal for the Zoom On-Premise Meeting Connector Controller before version 4.6.365.20210703, Zoom On-Premise Meeting Connector MMR before version 4.6.365.20210703, Zoom On-Premise Recording Connector before version 3.8.45.20210703, Zoom On-Premise Virtual Room Connector before version 4.4.6868.20210703, and Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5496.20210703 fails to validate input sent in requests to set the network proxy password. This could lead to remote command injection by a web portal administrator.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9
security@zoom.us 7.9 HIGH CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N 1.5 5.8

CVSS 2.0

Severity: HIGH

Problem Type: CWE-20,

Products Affected

Vendor Product Version
zoom zoom_on-premise_recording_connector *
zoom zoom_on-premise_meeting_connector_controller *
zoom zoom_on-premise_meeting_connector_mmr *
zoom zoom_on-premise_virtual_room_connector_load_balancer *
zoom zoom_on-premise_virtual_room_connector *
CVE-2021-34418 MEDIUM

The login routine of the web console in the Zoom On-Premise Meeting Connector before version 4.6.239.20200613, Zoom On-Premise Meeting Connector MMR before version 4.6.239.20200613, Zoom On-Premise Recording Connector before version 3.8.42.20200905, Zoom On-Premise Virtual Room Connector before version 4.4.6344.20200612, and Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5492.20200616 fails to validate that a NULL byte was sent while authenticating. This could lead to a crash of the login service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4
security@zoom.us 4.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 2.5 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-476,

Products Affected

Vendor Product Version
zoom zoom_on-premise_recording_connector *
zoom zoom_on-premise_meeting_connector_controller *
zoom zoom_on-premise_meeting_connector_mmr *
zoom zoom_on-premise_virtual_room_connector_load_balancer *
zoom zoom_on-premise_virtual_room_connector *
CVE-2021-34419 MEDIUM

In the Zoom Client for Meetings for Ubuntu Linux before version 5.1.0, there is an HTML injection flaw when sending a remote control request to a user in the process of in-meeting screen sharing. This could allow meeting participants to be targeted for social engineering attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-74,

Products Affected

Vendor Product Version
zoom zoom_client_for_meetings *
CVE-2021-34420 MEDIUM

The Zoom Client for Meetings for Windows installer before version 5.5.4 does not properly verify the signature of files with .msi, .ps1, and .bat extensions. This could lead to a malicious actor installing malicious software on a customer’s computer.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N 2.8 1.4
nvd@nist.gov 7.4 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N 2.8 4.0

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-347,

Products Affected

Vendor Product Version
zoom zoom_client_for_meetings *
CVE-2021-34423 HIGH

A buffer overflow vulnerability was discovered in Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4, Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1, Zoom Client for Meetings for intune (for Android and iOS) before version 5.8.4, Zoom Client for Meetings for Chrome OS before version 5.0.1, Zoom Rooms for Conference Room (for Android, AndroidBali, macOS, and Windows) before version 5.8.3, Controllers for Zoom Rooms (for Android, iOS, and Windows) before version 5.8.3, Zoom VDI Windows Meeting Client before version 5.8.4, Zoom VDI Azure Virtual Desktop Plugins (for Windows x86 or x64, IGEL x64, Ubuntu x64, HP ThinPro OS x64) before version 5.8.4.21112, Zoom VDI Citrix Plugins (for Windows x86 or x64, Mac Universal Installer & Uninstaller, IGEL x64, eLux RP6 x64, HP ThinPro OS x64, Ubuntu x64, CentOS x 64, Dell ThinOS) before version 5.8.4.21112, Zoom VDI VMware Plugins (for Windows x86 or x64, Mac Universal Installer & Uninstaller, IGEL x64, eLux RP6 x64, HP ThinPro OS x64, Ubuntu x64, CentOS x 64, Dell ThinOS) before version 5.8.4.21112, Zoom Meeting SDK for Android before version 5.7.6.1922, Zoom Meeting SDK for iOS before version 5.7.6.1082, Zoom Meeting SDK for macOS before version 5.7.6.1340, Zoom Meeting SDK for Windows before version 5.7.6.1081, Zoom Video SDK (for Android, iOS, macOS, and Windows) before version 1.1.2, Zoom On-Premise Meeting Connector Controller before version 4.8.12.20211115, Zoom On-Premise Meeting Connector MMR before version 4.8.12.20211115, Zoom On-Premise Recording Connector before version 5.1.0.65.20211116, Zoom On-Premise Virtual Room Connector before version 4.4.7266.20211117, Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5692.20211117, Zoom Hybrid Zproxy before version 1.0.1058.20211116, and Zoom Hybrid MMR before version 4.6.20211116.131_x86-64. This can potentially allow a malicious actor to crash the service or application, or leverage this vulnerability to execute arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-120,

Products Affected

Vendor Product Version
zoom windows_meeting_sdk *
zoom meetings *
zoom hybrid_zproxy *
zoom meetings_for_blackberry *
zoom iphone_os_meeting_sdk *
zoom meetings_for_intune *
zoom macos_video_sdk *
zoom virtual_desktop_infrastructure *
zoom android_meeting_sdk *
zoom controllers_for_zoom_rooms *
zoom windows_video_sdk *
zoom meetings_for_chrome_os *
zoom iphone_os_video_sdk *
zoom zoom_on-premise_recording_connector *
zoom macos_meeting_sdk *
zoom android_video_sdk *
zoom vdi_windows_meeting_client *
zoom zoom_on-premise_meeting_connector_controller *
zoom vdi_citrix *
zoom zoom_on-premise_meeting_connector_mmr *
zoom hybrid_mmr *
zoom zoom_on-premise_virtual_room_connector_load_balancer *
zoom rooms_for_conference_rooms *
zoom zoom_on-premise_virtual_room_connector *
zoom vdi_vmware *
zoom vdi_azure_virtual_desktop *
CVE-2021-34424 MEDIUM

A vulnerability was discovered in the Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4, Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1, Zoom Client for Meetings for intune (for Android and iOS) before version 5.8.4, Zoom Client for Meetings for Chrome OS before version 5.0.1, Zoom Rooms for Conference Room (for Android, AndroidBali, macOS, and Windows) before version 5.8.3, Controllers for Zoom Rooms (for Android, iOS, and Windows) before version 5.8.3, Zoom VDI Windows Meeting Client before version 5.8.4, Zoom VDI Azure Virtual Desktop Plugins (for Windows x86 or x64, IGEL x64, Ubuntu x64, HP ThinPro OS x64) before version 5.8.4.21112, Zoom VDI Citrix Plugins (for Windows x86 or x64, Mac Universal Installer & Uninstaller, IGEL x64, eLux RP6 x64, HP ThinPro OS x64, Ubuntu x64, CentOS x 64, Dell ThinOS) before version 5.8.4.21112, Zoom VDI VMware Plugins (for Windows x86 or x64, Mac Universal Installer & Uninstaller, IGEL x64, eLux RP6 x64, HP ThinPro OS x64, Ubuntu x64, CentOS x 64, Dell ThinOS) before version 5.8.4.21112, Zoom Meeting SDK for Android before version 5.7.6.1922, Zoom Meeting SDK for iOS before version 5.7.6.1082, Zoom Meeting SDK for macOS before version 5.7.6.1340, Zoom Meeting SDK for Windows before version 5.7.6.1081, Zoom Video SDK (for Android, iOS, macOS, and Windows) before version 1.1.2, Zoom on-premise Meeting Connector before version 4.8.12.20211115, Zoom on-premise Meeting Connector MMR before version 4.8.12.20211115, Zoom on-premise Recording Connector before version 5.1.0.65.20211116, Zoom on-premise Virtual Room Connector before version 4.4.7266.20211117, Zoom on-premise Virtual Room Connector Load Balancer before version 2.5.5692.20211117, Zoom Hybrid Zproxy before version 1.0.1058.20211116, and Zoom Hybrid MMR before version 4.6.20211116.131_x86-64 which potentially allowed for the exposure of the state of process memory. This issue could be used to potentially gain insight into arbitrary areas of the product's memory.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-125,

Products Affected

Vendor Product Version
zoom windows_meeting_sdk *
zoom meetings *
zoom hybrid_zproxy *
zoom meetings_for_blackberry *
zoom iphone_os_meeting_sdk *
zoom meetings_for_intune *
zoom macos_video_sdk *
zoom virtual_desktop_infrastructure *
zoom android_meeting_sdk *
zoom controllers_for_zoom_rooms *
zoom windows_video_sdk *
zoom meetings_for_chrome_os *
zoom iphone_os_video_sdk *
zoom zoom_on-premise_recording_connector *
zoom macos_meeting_sdk *
zoom android_video_sdk *
zoom zoom_on-premise_meeting_connector_controller *
zoom vdi_citrix *
zoom zoom_on-premise_meeting_connector_mmr *
zoom hybrid_mmr *
zoom zoom_on-premise_virtual_room_connector_load_balancer *
zoom rooms_for_conference_rooms *
zoom zoom_on-premise_virtual_room_connector *
zoom vdi_vmware *
zoom vdi_azure_virtual_desktop *
CVE-2021-34425 MEDIUM

The Zoom Client for Meetings before version 5.7.3 (for Android, iOS, Linux, macOS, and Windows) contain a server side request forgery vulnerability in the chat\'s "link preview" functionality. In versions prior to 5.7.3, if a user were to enable the chat\'s "link preview" feature, a malicious actor could trick the user into potentially sending arbitrary HTTP GET requests to URLs that the actor cannot reach directly.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.7 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N 1.6 2.7
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,

Products Affected

Vendor Product Version
zoom meetings *
CVE-2022-22780 HIGH

The Zoom Client for Meetings chat functionality was susceptible to Zip bombing attacks in the following product versions: Android before version 5.8.6, iOS before version 5.9.0, Linux before version 5.8.6, macOS before version 5.7.3, and Windows before version 5.6.3. This could lead to availability issues on the client host by exhausting system resources.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L 2.8 1.4
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 2.8 3.6

CVSS 2.0

Severity: HIGH

Problem Type: CWE-400,

Products Affected

Vendor Product Version
zoom meetings *
CVE-2022-22781 MEDIUM

The Zoom Client for Meetings for MacOS (Standard and for IT Admin) prior to version 5.9.6 failed to properly check the package version during the update process. This could lead to a malicious actor updating an unsuspecting user’s currently installed version to a less secure version.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-354,

Products Affected

Vendor Product Version
zoom meetings *
CVE-2022-22782 MEDIUM

The Zoom Client for Meetings for Windows prior to version 5.9.7, Zoom Rooms for Conference Room for Windows prior to version 5.10.0, Zoom Plugins for Microsoft Outlook for Windows prior to version 5.10.3, and Zoom VDI Windows Meeting Clients prior to version 5.9.6; was susceptible to a local privilege escalation issue during the installer repair operation. A malicious actor could utilize this to potentially delete system level files or folders, causing integrity or availability issues on the user’s host machine.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H 1.8 5.2
security@zoom.us 7.9 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H 1.5 5.8

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zoom vdi_windows_meeting_clients *
zoom meetings *
zoom rooms_for_conference_rooms *
zoom zoom_plugin_for_microsoft_outlook *
CVE-2022-22783 MEDIUM

A vulnerability in Zoom On-Premise Meeting Connector Controller version 4.8.102.20220310 and On-Premise Meeting Connector MMR version 4.8.102.20220310 exposes process memory fragments to connected clients, which could be observed by a passive attacker.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
zoom zoom_on-premise_meeting_connector_mmr 4.8.102.20220310
zoom zoom_on-premise_meeting_connector_controller 4.8.102.20220310
CVE-2022-22784 MEDIUM

The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly parse XML stanzas in XMPP messages. This can allow a malicious user to break out of the current XMPP message context and create a new message context to have the receiving users client perform a variety of actions.This issue could be used in a more sophisticated attack to forge XMPP messages from the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-91,

Products Affected

Vendor Product Version
zoom meetings *
CVE-2022-22785 MEDIUM

The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send an unsuspecting users Zoom-scoped session cookies to a non-Zoom domain. This could potentially allow for spoofing of a Zoom user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.1 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 3.9 5.2
security@zoom.us 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L 1.6 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-565,

Products Affected

Vendor Product Version
zoom meetings *
CVE-2022-22786 MEDIUM

The Zoom Client for Meetings for Windows before version 5.10.0 and Zoom Rooms for Conference Room for Windows before version 5.10.0, fails to properly check the installation version during the update process. This issue could be used in a more sophisticated attack to trick a user into downgrading their Zoom client to a less secure version.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9
security@zoom.us 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-494,

Products Affected

Vendor Product Version
zoom meetings *
zoom rooms *
CVE-2022-22787 MEDIUM

The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.10.0 fails to properly validate the hostname during a server switch request. This issue could be used in a more sophisticated attack to trick an unsuspecting users client to connect to a malicious server when attempting to use Zoom services.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H 1.6 5.9
security@zoom.us 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L 1.6 4.2

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-295,

Products Affected

Vendor Product Version
zoom meetings *
CVE-2022-22788 MEDIUM

The Zoom Opener installer is downloaded by a user from the Launch meeting page, when attempting to join a meeting without having the Zoom Meeting Client installed. The Zoom Opener installer for Zoom Client for Meetings before version 5.10.3 and Zoom Rooms for Conference Room for Windows before version 5.10.3 are susceptible to a DLL injection attack. This vulnerability could be used to run arbitrary code on the victims host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.1 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H 1.2 5.9
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 1.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-427,

Products Affected

Vendor Product Version
zoom meetings *
zoom rooms *
CVE-2022-28749 MEDIUM

Zooms On-Premise Meeting Connector MMR before version 4.8.113.20220526 fails to properly check the permissions of a Zoom meeting attendee. As a result, a threat actor in the Zooms waiting room can join the meeting without the consent of the host.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
zoom on-premise_meeting_connector_multimedia_router 4.8.113.20220526
CVE-2022-28750

Zoom On-Premise Meeting Connector Zone Controller (ZC) before version 4.8.20220419.112 fails to properly parse STUN error codes, which can result in memory corruption and could allow a malicious actor to crash the application. In versions older than 4.8.12.20211115, this vulnerability could also be leveraged to execute arbitrary code.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
zoom meeting_connector *
CVE-2022-28751

The Zoom Client for Meetings for MacOS (Standard and for IT Admin) before version 5.11.3 contains a vulnerability in the package signature validation during the update process. A local low-privileged user could exploit this vulnerability to escalate their privileges to root.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
zoom meetings *
CVE-2022-28752

Zoom Rooms for Conference Rooms for Windows versions before 5.11.0 are susceptible to a Local Privilege Escalation vulnerability. A local low-privileged malicious user could exploit this vulnerability to escalate their privileges to the SYSTEM user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
security@zoom.us 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

Products Affected

Vendor Product Version
zoom rooms *
CVE-2022-28753

Zoom On-Premise Meeting Connector MMR before version 4.8.129.20220714 contains an improper access control vulnerability. As a result, a malicious actor can join a meeting which they are authorized to join without appearing to the other participants, can admit themselves into the meeting from the waiting room, and can become host and cause other meeting disruptions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5
security@zoom.us 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N 2.8 4.2

Products Affected

Vendor Product Version
zoom meeting_connector *
CVE-2022-28754

Zoom On-Premise Meeting Connector MMR before version 4.8.129.20220714 contains an improper access control vulnerability. As a result, a malicious actor can join a meeting which they are authorized to join without appearing to the other participants, can admit themselves into the meeting from the waiting room, and can become host and cause other meeting disruptions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5
security@zoom.us 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N 2.8 4.2

Products Affected

Vendor Product Version
zoom meeting_connector *
CVE-2022-28755

The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.11.0 are susceptible to a URL parsing vulnerability. If a malicious Zoom meeting URL is opened, the malicious link may direct the user to connect to an arbitrary network address, leading to additional attacks including the potential for remote code execution through launching executables from arbitrary paths.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
zoom zoom *
zoom virtual_desktop_infrastructure *
CVE-2022-28756

The Zoom Client for Meetings for macOS (Standard and for IT Admin) starting with version 5.7.3 and before 5.11.5 contains a vulnerability in the auto update process. A local low-privileged user could exploit this vulnerability to escalate their privileges to root.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
zoom meetings *
CVE-2022-28757

The Zoom Client for Meetings for macOS (Standard and for IT Admin) starting with version 5.7.3 and before 5.11.6 contains a vulnerability in the auto update process. A local low-privileged user could exploit this vulnerability to escalate their privileges to root.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
zoom meetings *
CVE-2022-28758

Zoom On-Premise Meeting Connector MMR before version 4.8.20220815.130 contains an improper access control vulnerability. As a result, a malicious actor could obtain the audio and video feed of a meeting they were not authorized to join and cause other meeting disruptions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N 3.9 4.2
nvd@nist.gov 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N 3.9 4.2

Products Affected

Vendor Product Version
zoom zoom_on-premise_meeting_connector_mmr *
CVE-2022-28759

Zoom On-Premise Meeting Connector MMR before version 4.8.20220815.130 contains an improper access control vulnerability. As a result, a malicious actor could obtain the audio and video feed of a meeting they were not authorized to join and cause other meeting disruptions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.6 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L 3.9 4.7
security@zoom.us 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N 3.9 4.2

Products Affected

Vendor Product Version
zoom zoom_on-premise_meeting_connector_mmr *
CVE-2022-28760

Zoom On-Premise Meeting Connector MMR before version 4.8.20220815.130 contains an improper access control vulnerability. As a result, a malicious actor could obtain the audio and video feed of a meeting they were not authorized to join and cause other meeting disruptions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
zoom zoom_on-premise_meeting_connector_mmr *
CVE-2022-28761

Zoom On-Premise Meeting Connector MMR before version 4.8.20220916.131 contains an improper access control vulnerability. As a result, a malicious actor in a meeting or webinar they are authorized to join could prevent participants from receiving audio and video causing meeting disruptions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zoom zoom_on-premise_meeting_connector_mmr *
CVE-2022-28762

Zoom Client for Meetings for macOS (Standard and for IT Admin) starting with 5.10.6 and prior to 5.12.0 contains a debugging port misconfiguration. When camera mode rendering context is enabled as part of the Zoom App Layers API by running certain Zoom Apps, a local debugging port is opened by the Zoom client. A local malicious user could use this debugging port to connect to and control the Zoom Apps running in the Zoom client.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
security@zoom.us 7.3 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L 1.8 5.5

Products Affected

Vendor Product Version
zoom meetings *
CVE-2022-28763

The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.12.2 is susceptible to a URL parsing vulnerability. If a malicious Zoom meeting URL is opened, the malicious link may direct the user to connect to an arbitrary network address, leading to additional attacks including session takeovers.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9
nvd@nist.gov 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

Products Affected

Vendor Product Version
zoom meetings *
zoom rooms_for_conference_rooms *
zoom virtual_desktop_infrastructure *
CVE-2022-28764

The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.12.6 is susceptible to a local information exposure vulnerability. A failure to clear data from a local SQL database after a meeting ends and the usage of an insufficiently secure per-device key encrypting that database results in a local malicious user being able to obtain meeting information such as in-meeting chat for the previous meeting attended from that local user account.

Products Affected

Vendor Product Version
zoom vdi_windows_meeting_clients *
zoom meetings *
zoom rooms *
CVE-2022-28766

Windows 32-bit versions of the Zoom Client for Meetings before 5.12.6 and Zoom Rooms for Conference Room before version 5.12.6 are susceptible to a DLL injection vulnerability. A local low-privileged user could exploit this vulnerability to run arbitrary code in the context of the Zoom client.

Products Affected

Vendor Product Version
zoom meetings *
zoom rooms *
CVE-2022-28768

The Zoom Client for Meetings Installer for macOS (Standard and for IT Admin) before version 5.12.6 contains a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability during the install process to escalate their privileges to root.

Products Affected

Vendor Product Version
zoom meetings *
CVE-2022-36924

The Zoom Rooms Installer for Windows prior to 5.12.6 contains a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability during the install process to escalate their privileges to the SYSTEM user.

Products Affected

Vendor Product Version
zoom rooms *
CVE-2022-36925

Zoom Rooms for macOS clients before version 5.11.4 contain an insecure key generation mechanism. The encryption key used for IPC between the Zoom Rooms daemon service and the Zoom Rooms client was generated using parameters that could be obtained by a local low-privileged application. That key can then be used to interact with the daemon service to execute privileged functions and cause a local denial of service.

Products Affected

Vendor Product Version
zoom rooms *
CVE-2022-36926

Zoom Rooms for macOS clients before version 5.11.3 contain a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability to escalate their privileges to root.

Products Affected

Vendor Product Version
zoom rooms *
CVE-2022-36927

Zoom Rooms for macOS clients before version 5.11.3 contain a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability to escalate their privileges to root.

Products Affected

Vendor Product Version
zoom rooms *
CVE-2022-36928

Zoom for Android clients before version 5.13.0 contain a path traversal vulnerability. A third party app could exploit this vulnerability to read and write to the Zoom application data directory.

Products Affected

Vendor Product Version
zoom zoom *
CVE-2022-36929

The Zoom Rooms Installer for Windows prior to 5.12.6 contains a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability during the install process to escalate their privileges to the SYSTEM user.

Products Affected

Vendor Product Version
zoom rooms *
CVE-2022-36930

Zoom Rooms for Windows installers before version 5.13.0 contain a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability in an attack chain to escalate their privileges to the SYSTEM user.

Products Affected

Vendor Product Version
zoom rooms *
CVE-2023-22880

Zoom for Windows clients before version 5.13.3, Zoom Rooms for Windows clients before version 5.13.5 and Zoom VDI for Windows clients before 5.13.1 contain an information disclosure vulnerability. A recent update to the Microsoft Edge WebView2 runtime used by the affected Zoom clients, transmitted text to Microsoft’s online Spellcheck service instead of the local Windows Spellcheck. Updating Zoom remediates this vulnerability by disabling the feature. Updating Microsoft Edge WebView2 Runtime to at least version 109.0.1481.0 and restarting Zoom remediates this vulnerability by updating Microsoft’s telemetry behavior.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
security@zoom.us 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N 2.3 4.0

Products Affected

Vendor Product Version
zoom zoom *
zoom rooms *
zoom virtual_desktop_infrastructure *
CVE-2023-22881

Zoom clients before version 5.13.5 contain a STUN parsing vulnerability. A malicious actor could send specially crafted UDP traffic to a victim Zoom client to remotely cause the client to crash, causing a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zoom zoom *
CVE-2023-22882

Zoom clients before version 5.13.5 contain a STUN parsing vulnerability. A malicious actor could send specially crafted UDP traffic to a victim Zoom client to remotely cause the client to crash, causing a denial of service.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zoom zoom *
CVE-2023-22883

Zoom Client for IT Admin Windows installers before version 5.13.5 contain a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability in an attack chain during the installation process to escalate their privileges to the SYSTEM user.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
security@zoom.us 7.2 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:H 0.8 5.8

Products Affected

Vendor Product Version
zoom meetings *
CVE-2023-28596

Zoom Client for IT Admin macOS installers before version 5.13.5 contain a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability in an attack chain during the installation process to escalate their privileges to privileges to root.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.1 6.0
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
zoom meetings *
CVE-2023-28597

Zoom clients prior to 5.13.5 contain an improper trust boundary implementation vulnerability. If a victim saves a local recording to an SMB location and later opens it using a link from Zoom’s web portal, an attacker positioned on an adjacent network to the victim client could set up a malicious SMB server to respond to client requests, causing the client to execute attacker controlled executables. This could result in an attacker gaining access to a user's device and data, and remote code execution.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 1.6 5.9
security@zoom.us 8.3 HIGH CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 1.6 6.0

Products Affected

Vendor Product Version
zoom zoom *
zoom rooms *
zoom virtual_desktop_infrastructure *
CVE-2023-28598

Zoom for Linux clients prior to 5.13.10 contain an HTML injection vulnerability. If a victim starts a chat with a malicious user it could result in a Zoom application crash.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
zoom zoom *
CVE-2023-28599

Zoom clients prior to 5.13.10 contain an HTML injection vulnerability. A malicious user could inject HTML into their display name potentially leading a victim to a malicious website during meeting creation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
zoom zoom *
CVE-2023-28600

Zoom for MacOSclients prior to 5.14.0 contain an improper access control vulnerability. A malicious user may be able to delete/replace Zoom Client files potentially causing a loss of integrity and availability to the Zoom Client.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 5.2 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L 1.0 3.7

Products Affected

Vendor Product Version
zoom zoom *
CVE-2023-28601

Zoom for Windows clients prior to 5.14.0 contain an improper restriction of operations within the bounds of a memory buffer vulnerability. A malicious user may alter protected Zoom Client memory buffer potentially causing integrity issues within the Zoom Client.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.3 HIGH CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H 1.6 6.0

Products Affected

Vendor Product Version
zoom zoom *
CVE-2023-28602

Zoom for Windows clients prior to 5.13.5 contain an improper verification of cryptographic signature vulnerability. A malicious user may potentially downgrade Zoom Client components to previous versions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 2.8 LOW CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N 1.1 1.4

Products Affected

Vendor Product Version
zoom zoom *
CVE-2023-28603

Zoom VDI client installer prior to 5.14.0 contains an improper access control vulnerability. A malicious user may potentially delete local files without proper permissions.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.7 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L 1.1 6.0

Products Affected

Vendor Product Version
zoom virtual_desktop_infrastructure *
CVE-2023-34114

Exposure of resource to wrong sphere in Zoom for Windows and Zoom for MacOS clients before 5.14.10 may allow an authenticated user to potentially enable information disclosure via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.4 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N 2.8 4.0

Products Affected

Vendor Product Version
zoom zoom *
CVE-2023-34115

Buffer copy without checking size of input in Zoom Meeting SDK before 5.13.0 may allow an authenticated user to potentially enable a denial of service via local access. This issue may result in the Zoom Meeting SDK to crash and need to be restarted.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.3 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L 2.5 1.4

Products Affected

Vendor Product Version
zoom meeting_sdk *
CVE-2023-34116

Improper input validation in the Zoom Desktop Client for Windows before version 5.15.0 may allow an unauthorized user to enable an escalation of privilege via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.2 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:H 2.8 4.7

Products Affected

Vendor Product Version
zoom zoom *
CVE-2023-34117

Relative path traversal in the Zoom Client SDK before version 5.15.0 may allow an unauthorized user to enable information disclosure via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 1.8 1.4

Products Affected

Vendor Product Version
zoom zoom_software_development_kit *
CVE-2023-34118

Improper privilege management in Zoom Rooms for Windows before version 5.14.5 may allow an authenticated user to enable an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.3 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L 2.0 4.7

Products Affected

Vendor Product Version
zoom rooms *
CVE-2023-34119

Insecure temporary file in the installer for Zoom Rooms for Windows before version 5.15.0 may allow an authenticated user to enable an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H 1.5 6.0

Products Affected

Vendor Product Version
zoom rooms *
CVE-2023-34120

Improper privilege management in Zoom for Windows, Zoom Rooms for Windows, and Zoom VDI for Windows clients before 5.14.0 may allow an authenticated user to potentially enable an escalation of privilege via local access. Users may potentially utilize higher level system privileges maintained by the Zoom client to spawn processes with escalated privileges.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.7 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L 2.0 6.0

Products Affected

Vendor Product Version
zoom virtual_desktop_infrastructure *
CVE-2023-34121

Improper input validation in the Zoom for Windows, Zoom Rooms, Zoom VDI Windows Meeting clients before 5.14.0 may allow an authenticated user to potentially enable an escalation of privilege via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N 2.3 1.4

Products Affected

Vendor Product Version
zoom zoom *
zoom rooms *
zoom virtual_desktop_infrastructure *
CVE-2023-36532

Buffer overflow in Zoom Clients before 5.14.5 may allow an unauthenticated user to enable a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H 2.2 3.6

Products Affected

Vendor Product Version
zoom zoom *
zoom rooms *
zoom virtual_desktop_infrastructure *
CVE-2023-36533

Uncontrolled resource consumption in Zoom SDKs before 5.14.7 may allow an unauthenticated user to enable a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H 2.8 4.2

Products Affected

Vendor Product Version
zoom video_software_development_kit *
zoom meeting_software_development_kit *
CVE-2023-36534

Path traversal in Zoom Desktop Client for Windows before 5.14.7 may allow an unauthenticated user to enable an escalation of privilege via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 9.3 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H 2.8 5.8

Products Affected

Vendor Product Version
zoom zoom *
CVE-2023-36535

Client-side enforcement of server-side security in Zoom clients before 5.14.10 may allow an authenticated user to enable information disclosure via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L 2.8 4.2

Products Affected

Vendor Product Version
zoom zoom *
zoom rooms *
zoom virtual_desktop_infrastructure *
CVE-2023-36536

Untrusted search path in the installer for Zoom Rooms for Windows before version 5.15.0 may allow an authenticated user to enable an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.2 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H 1.5 6.0

Products Affected

Vendor Product Version
zoom rooms *
CVE-2023-36537

Improper privilege management in Zoom Rooms for Windows before version 5.14.5 may allow an authenticated user to enable an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.3 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L 2.0 4.7

Products Affected

Vendor Product Version
zoom rooms *
CVE-2023-36538

Improper access control in Zoom Rooms for Windows before version 5.15.0 may allow an authenticated user to enable an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.4 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H 2.0 5.8

Products Affected

Vendor Product Version
zoom rooms *
CVE-2023-36539

Exposure of information intended to be encrypted by some Zoom clients may lead to disclosure of sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N 1.6 3.6

Products Affected

Vendor Product Version
zoom rooms 5.15.0
zoom poly_ccx_700_firmware 5.15.0
zoom yealink_vp59_firmware 5.15.0
zoom video_software_development_kit 1.8.0
zoom zoom 5.15.1
zoom yealink_mp54_firmware 5.15.0
zoom yealink_mp56_firmware 5.15.0
zoom zoom 5.15.0
zoom poly_ccx_600_firmware 5.15.0
zoom meetings 5.15.0
zoom meetings 5.15.1
CVE-2023-36540

Untrusted search path in the installer for Zoom Desktop Client for Windows before 5.14.5 may allow an authenticated user to enable an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.3 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L 2.0 4.7

Products Affected

Vendor Product Version
zoom zoom *
CVE-2023-36541

Insufficient verification of data authenticity in Zoom Desktop Client for Windows before 5.14.5 may allow an authenticated user to enable an escalation of privilege via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.0 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 2.1 5.9

Products Affected

Vendor Product Version
zoom zoom *
CVE-2023-39199

Cryptographic issues with In-Meeting Chat for some Zoom clients may allow a privileged user to conduct an information disclosure via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
security@zoom.us 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
zoom zoom *
zoom meetings *
zoom rooms *
zoom virtual_desktop_infrastructure *
CVE-2023-39201

Untrusted search path in CleanZoom before file date 07/24/2023 may allow a privileged user to conduct an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.7 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.8 5.9
security@zoom.us 7.2 HIGH CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H 0.6 6.0

Products Affected

Vendor Product Version
zoom cleanzoom *
CVE-2023-39202

Untrusted search path in Zoom Rooms Client for Windows and Zoom VDI Client may allow a privileged user to conduct a denial of service via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 3.1 LOW CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L 0.6 2.5
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
zoom rooms *
zoom virtual_desktop_infrastructure *
CVE-2023-39203

Uncontrolled resource consumption in Zoom Team Chat for Zoom Desktop Client for Windows and Zoom VDI Client may allow an unauthenticated user to conduct a disclosure of information via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L 2.8 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
zoom zoom *
zoom virtual_desktop_infrastructure *
CVE-2023-39204

Buffer overflow in some Zoom clients may allow an unauthenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security@zoom.us 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
zoom zoom *
zoom meetings *
zoom rooms *
zoom video_software_development_kit *
zoom virtual_desktop_infrastructure *
CVE-2023-39205

Improper conditions check in Zoom Team Chat for Zoom clients may allow an authenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zoom zoom *
zoom meetings *
zoom video_software_development_kit *
zoom virtual_desktop_infrastructure *
CVE-2023-39206

Buffer overflow in some Zoom clients may allow an unauthenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L 2.2 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
zoom zoom *
zoom meetings *
zoom rooms *
zoom video_software_development_kit *
zoom virtual_desktop_infrastructure *
CVE-2023-39208

Improper input validation in Zoom Desktop Client for Linux before version 5.15.10 may allow an unauthenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L 3.9 2.5
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6

Products Affected

Vendor Product Version
zoom zoom *
CVE-2023-39209

Improper input validation in Zoom Desktop Client for Windows before 5.15.5 may allow an authenticated user to enable an information disclosure via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L 1.6 4.2

Products Affected

Vendor Product Version
zoom zoom *
CVE-2023-39210

Cleartext storage of sensitive information in Zoom Client SDK for Windows before 5.15.0 may allow an authenticated user to enable an information disclosure via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6

Products Affected

Vendor Product Version
zoom meeting_software_development_kit *
CVE-2023-39211

Improper privilege management in Zoom Desktop Client for Windows and Zoom Rooms for Windows before 5.15.5 may allow an authenticated user to enable an information disclosure via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

Products Affected

Vendor Product Version
zoom zoom *
zoom rooms *
CVE-2023-39212

Untrusted search path in Zoom Rooms for Windows before version 5.15.5 may allow an authenticated user to enable a denial of service via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.9 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H 1.5 5.8

Products Affected

Vendor Product Version
zoom rooms *
CVE-2023-39213

Improper neutralization of special elements in Zoom Desktop Client for Windows and Zoom VDI Client before 5.15.2 may allow an unauthenticated user to enable an escalation of privilege via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

Products Affected

Vendor Product Version
zoom zoom *
zoom virtual_desktop_infrastructure *
CVE-2023-39214

Exposure of sensitive information in Zoom Client SDK's before 5.15.5 may allow an authenticated user to enable a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.6 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H 2.8 4.7

Products Affected

Vendor Product Version
zoom zoom *
zoom rooms *
zoom meeting_software_development_kit *
CVE-2023-39215

Improper authentication in Zoom clients may allow an authenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
security@zoom.us 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H 2.8 4.2

Products Affected

Vendor Product Version
zoom zoom *
zoom meeting_software_development_kit *
zoom virtual_desktop_infrastructure *
CVE-2023-39216

Improper input validation in Zoom Desktop Client for Windows before 5.14.7 may allow an unauthenticated user to enable an escalation of privilege via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

Products Affected

Vendor Product Version
zoom zoom *
CVE-2023-39217

Improper input validation in Zoom SDK’s before 5.14.10 may allow an unauthenticated user to enable a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
zoom video_software_development_kit *
zoom meeting_software_development_kit *
CVE-2023-39218

Client-side enforcement of server-side security in Zoom clients before 5.14.10 may allow a privileged user to enable information disclosure via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N 0.9 5.2

Products Affected

Vendor Product Version
zoom zoom *
zoom rooms *
zoom virtual_desktop_infrastructure *
CVE-2023-43582

Improper authorization in some Zoom clients may allow an authorized user to conduct an escalation of privilege via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 5.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L 2.1 3.4
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zoom zoom *
zoom meetings *
zoom rooms *
zoom virtual_desktop_infrastructure *
CVE-2023-43583

Cryptographic issues Zoom Mobile App for Android, Zoom Mobile App for iOS, and Zoom SDKs for Android and iOS before version 5.16.0 may allow a privileged user to conduct a disclosure of information via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6
security@zoom.us 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
zoom zoom *
zoom video_software_development_kit *
zoom meeting_software_development_kit *
CVE-2023-43585

Improper access control in Zoom Mobile App for iOS and Zoom SDKs for iOS before version 5.16.5 may allow an authenticated user to conduct a disclosure of information via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L 2.8 4.2
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
zoom zoom *
zoom video_software_development_kit *
zoom meeting_software_development_kit *
CVE-2023-43586

Path traversal in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom SDKs for Windows may allow an authenticated user to conduct an escalation of privilege via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.3 HIGH CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N 1.0 5.8
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zoom zoom *
zoom video_software_development_kit *
zoom meeting_software_development_kit *
zoom virtual_desktop_infrastructure *
CVE-2023-43588

Insufficient control flow management in some Zoom clients may allow an authenticated user to conduct an information disclosure via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 2.1 1.4
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
zoom zoom *
zoom meetings *
zoom virtual_desktop_infrastructure *
CVE-2023-43590

Link following in Zoom Rooms for macOS before version 5.16.0 may allow an authenticated user to conduct an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
security@zoom.us 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.1 6.0

Products Affected

Vendor Product Version
zoom rooms *
CVE-2023-43591

Improper privilege management in Zoom Rooms for macOS before version 5.16.0 may allow an authenticated user to conduct an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9
security@zoom.us 7.8 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.1 6.0

Products Affected

Vendor Product Version
zoom rooms *
CVE-2023-49646

Improper authentication in some Zoom clients before version 5.16.5 may allow an authenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
security@zoom.us 6.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L 3.1 2.7

Products Affected

Vendor Product Version
zoom zoom *
zoom video_software_development_kit *
zoom meeting_software_development_kit *
zoom virtual_desktop_infrastructure *
CVE-2023-49647

Improper access control in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom SDKs for Windows before version 5.16.10 may allow an authenticated user to conduct an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0
nvd@nist.gov 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
zoom zoom *
zoom video_software_development_kit *
zoom meeting_software_development_kit *
zoom virtual_desktop_infrastructure *
CVE-2024-24690

Improper input validation in some Zoom clients may allow an authenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L 2.8 2.5

Products Affected

Vendor Product Version
zoom zoom *
zoom vdi_windows_meeting_clients *
zoom rooms *
zoom video_software_development_kit *
zoom meeting_software_development_kit *
CVE-2024-24691

Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

Products Affected

Vendor Product Version
zoom zoom *
zoom vdi_windows_meeting_clients *
zoom rooms *
zoom meeting_software_development_kit *
CVE-2024-24692

Race condition in the installer for Zoom Rooms Client for Windows before version 5.17.5 may allow an authenticated user to conduct a denial of service via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 5.3 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:N/A:H 0.8 4.0

Products Affected

Vendor Product Version
zoom rooms *
CVE-2024-24693

Improper access control in the installer for Zoom Rooms Client for Windows before version 5.17.5 may allow an authenticated user to conduct a denial of service via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.2 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:H 0.8 5.8

Products Affected

Vendor Product Version
zoom rooms *
CVE-2024-24694

Improper privilege management in the installer for Zoom Desktop Client for Windows before version 5.17.10 may allow an authenticated user to conduct an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 5.9 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N 1.5 4.0

Products Affected

Vendor Product Version
zoom zoom *
CVE-2024-24695

Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an authenticated user to conduct a disclosure of information via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N 2.3 4.0

Products Affected

Vendor Product Version
zoom zoom *
zoom vdi_windows_meeting_clients *
zoom meeting_software_development_kit *
CVE-2024-24696

Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an authenticated user to conduct a disclosure of information via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N 2.3 4.0

Products Affected

Vendor Product Version
zoom zoom *
zoom vdi_windows_meeting_clients *
zoom meeting_software_development_kit *
CVE-2024-24697

Untrusted search path in some Zoom 32 bit Windows clients may allow an authenticated user to conduct an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.2 HIGH CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H 0.6 6.0

Products Affected

Vendor Product Version
zoom zoom *
zoom vdi_windows_meeting_clients *
zoom rooms *
zoom meeting_software_development_kit *
CVE-2024-24698

Improper authentication in some Zoom clients may allow a privileged user to conduct a disclosure of information via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
zoom zoom *
zoom vdi_windows_meeting_clients *
zoom rooms *
zoom meeting_software_development_kit *
CVE-2024-24699

Business logic error in some Zoom clients may allow an authenticated user to conduct information disclosure via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
zoom zoom *
zoom vdi_windows_meeting_clients *
zoom rooms *
zoom meeting_sdk *
CVE-2024-27238

Race condition in the installer for some Zoom Apps and SDKs for Windows before version 6.0.0 may allow an authenticated user to conduct a privilege escalation via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 1.8 5.2

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom meeting_software_development_kit *
CVE-2024-27239

Use after free in some Zoom Workplace Apps and SDKs may allow an authenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2024-27240

Improper input validation in the installer for some Zoom Apps for Windows may allow an authenticated user to conduct a privilege escalation via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.1 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 1.8 5.2

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace_virtual_desktop_infrastructure *
CVE-2024-27241

Improper input validation in some Zoom Apps and SDKs may allow an authenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 3.9 1.4

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2024-27242

Cross site scripting in Zoom Desktop Client for Linux before version 5.17.10 may allow an authenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:L 2.3 1.4

Products Affected

Vendor Product Version
zoom zoom *
CVE-2024-27243

Buffer overflow in some Zoom Workplace Apps and SDK’s may allow an authenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom workplace *
zoom meeting_software_development_kit *
zoom virtual_desktop_infrastructure *
CVE-2024-27244

Insufficient verification of data authenticity in the installer for Zoom Workplace VDI App for Windows may allow an authenticated user to conduct an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H 0.8 5.9

Products Affected

Vendor Product Version
zoom workplace_virtual_desktop_infrastructure *
CVE-2024-27245

Buffer overflow in some Zoom Workplace Apps and SDKs may allow an authenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2024-27246

Use after free in some Zoom Workplace Apps and SDKs may allow an authenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2024-27247

Improper privilege management in the installer for Zoom Desktop Client for macOS before version 5.17.10 may allow a privileged user to conduct an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N 1.1 4.0

Products Affected

Vendor Product Version
zoom zoom *
CVE-2024-39819

Integrity check in the installer for some Zoom Workplace Apps and SDKs for Windows may allow an authenticated user to conduct a privilege escalation via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.7 MEDIUM CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H 0.8 5.9

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom meeting_software_development_kit *
CVE-2024-39820

Uncontrolled search path element in the installer for Zoom Workplace Desktop App for macOS before version 6.0.10 may allow an authenticated user to conduct a denial of service via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.6 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H 1.3 5.2

Products Affected

Vendor Product Version
zoom workplace_desktop *
CVE-2024-39821

Race condition in the installer for Zoom Workplace App for Windows and Zoom Rooms App for Windows may allow an authenticated user to conduct a denial of service via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.6 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H 1.3 5.2

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
CVE-2024-39823

Missing authorization in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow a privileged user to conduct an information disclosure via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2024-39824

Missing authorization in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow a privileged user to conduct an information disclosure via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2024-39826

Race condition in Team Chat for some Zoom Workplace Apps and SDKs for Windows may allow an authenticated user to conduct information disclosure via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N 2.3 4.0

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2024-39827

Improper input validation in the installer for Zoom Workplace Desktop App for Windows before version 6.0.10 may allow an authenticated user to conduct a denial of service via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H 1.8 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
CVE-2024-42434

Missing authorization in some Zoom Workplace Apps, SDKs, Rooms Clients, and Rooms Controllers may allow a privileged user to conduct an information disclosure via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2024-42441

Incorrect privilege assignment in the installer for Zoom Workplace Desktop App for macOS, Zoom Meeting SDK for macOS and Zoom Rooms Client for macOS before 6.1.5 may allow a privileged user to conduct an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.2 MEDIUM CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.3 5.9

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom meeting_software_development_kit *
CVE-2024-45417

Uncontrolled resource consumption in the installer for some Zoom apps for macOS before version 6.1.5 may allow a privileged user to conduct a disclosure of information via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 1.8 3.6
security@zoom.us 6.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N 0.8 5.2

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom video_software_development_kit *
zoom meeting_software_development_kit *
CVE-2024-45418

Symlink following in the installer for some Zoom apps for macOS before version 6.1.5 may allow an authenticated user to conduct an escalation of privilege via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom video_software_development_kit *
zoom meeting_software_development_kit *
CVE-2024-45419

Improper input validation in some Zoom Apps may allow an unauthenticated user to conduct a disclosure of information via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom video_software_development_kit *
zoom meeting_software_development_kit *
CVE-2024-45420

Uncontrolled resource consumption in some Zoom Apps before version 6.2.0 may allow an authenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom video_software_development_kit *
zoom meeting_software_development_kit *
CVE-2024-45421

Buffer overflow in some Zoom Apps may allow an authenticated user to conduct an escalation of privilege via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom video_software_development_kit *
zoom meeting_software_development_kit *
CVE-2024-45422

Improper input validation in some Zoom Apps before version 6.2.0 may allow an unauthenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L 3.9 2.5

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom video_software_development_kit *
zoom meeting_software_development_kit *
CVE-2024-45424

Business logic error in some Zoom Workplace Apps may allow an unauthenticated user to conduct a disclosure of information via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2024-45425

Incorrect user management in some Zoom Workplace Apps may allow a privileged user to conduct an information disclosure via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2024-45426

Incorrect ownership assignment in some Zoom Workplace Apps may allow a privileged user to conduct an information disclosure via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
security@zoom.us 4.9 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-0143

Out-of-bounds write in the Zoom Workplace App for Linux before version 6.2.5 may allow an unauthorized user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom video_software_development_kit *
zoom meeting_software_development_kit *
CVE-2025-0144

Out-of-bounds write in some Zoom Workplace Apps may allow an authorized user to conduct a loss of integrity via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 3.1 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N 1.6 1.4

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom video_software_development_kit *
zoom meeting_software_development_kit *
CVE-2025-0145

Untrusted search path in the installer for some Zoom Workplace Apps for Windows may allow an authorized user to conduct an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.6 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L 1.5 2.7

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom video_software_development_kit *
zoom meeting_software_development_kit *
CVE-2025-0146

Symlink following in the installer for Zoom Workplace App for macOS before 6.2.10 may allow an authenticated user to conduct a denial of service via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 3.9 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:L 1.3 2.5

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom rooms_controller *
zoom video_software_development_kit *
zoom meeting_software_development_kit *
CVE-2025-0147

Type confusion in the Zoom Workplace App for Linux before 6.2.10 may allow an authorized user to conduct an escalation of privilege via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom video_software_development_kit *
zoom meeting_software_development_kit *
CVE-2025-0149

Insufficient verification of data authenticity in some Zoom Workplace Apps may allow an unprivileged user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L 3.9 2.5

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-0150

Incorrect behavior order in some Zoom Workplace Apps for iOS before version 6.3.0 may allow an authenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6
security@zoom.us 7.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H 2.8 4.2

Products Affected

Vendor Product Version
zoom workplace *
zoom meeting_software_development_kit *
CVE-2025-0151

Use after free in some Zoom Workplace Apps may allow an authenticated user to conduct an escalation of privilege via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9
security@zoom.us 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-27439

Buffer underflow in some Zoom Workplace Apps may allow an authenticated user to conduct an escalation of privilege via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-27440

Heap overflow in some Zoom Workplace Apps may allow an authenticated user to conduct an escalation of privilege via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.5 HIGH CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H 1.8 6.0
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-27441

Cross site scripting in some Zoom Workplace Apps may allow an unauthenticated user to conduct a loss of integrity via adjacent network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.6 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 2.1 2.5
nvd@nist.gov 5.2 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.1 2.7

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-27442

Cross site scripting in some Zoom Workplace Apps may allow an unauthenticated user to conduct a loss of integrity via adjacent network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.6 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N 2.1 2.5
nvd@nist.gov 5.2 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.1 2.7

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-27443

Insecure default variable initialization in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a loss of integrity via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 1.8 3.6
security@zoom.us 2.8 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N 1.3 1.4

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom rooms_controller *
zoom meeting_software_development_kit *
CVE-2025-30662

Symlink following in the installer for the Zoom Workplace VDI Plugin macOS Universal installer before version 6.3.14, 6.4.14, and 6.5.10 in their respective tracks may allow an authenticated user to conduct a disclosure of information via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.6 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 1.3 5.2

Products Affected

Vendor Product Version
zoom workplace_virtual_desktop_infrastructure *
CVE-2025-30663

Time-of-check time-of-use race condition in some Zoom Workplace Apps may allow an authenticated user to conduct an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 2.0 6.0

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-30664

Cross-site scripting in some Zoom Workplace Apps may allow an authenticated user to conduct an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.6 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N 1.3 5.2

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-30665

NULL pointer dereference in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-30666

NULL pointer dereference in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-30667

NULL pointer dereference in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-30668

Integer underflow in some Zoom Workplace Apps may allow an authenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-30669

Improper certificate validation in certain Zoom Clients may allow an unauthenticated user to conduct a disclosure of information via adjacent access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.8 MEDIUM CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N 1.2 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-30670

Null pointer dereference in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-30671

Null pointer dereference in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-46785

Buffer over-read in some Zoom Workplace Apps for Windows may allow an authenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-46786

Cross-site scripting in some Zoom Workplace Apps may allow an authenticated user to impact app integrity via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-46788

Improper certificate validation in Zoom Workplace for Linux before version 6.4.13 may allow an unauthorized user to conduct an information disclosure via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2

Products Affected

Vendor Product Version
zoom workplace_desktop *
CVE-2025-46789

Classic buffer overflow in certain Zoom Clients for Windows may allow an authorized user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zoom zoom -
CVE-2025-49456

Race condition in the installer for certain Zoom Clients for Windows may allow an unauthenticated user to impact application integrity via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.1 MEDIUM CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N 1.4 3.6
security@zoom.us 6.2 MEDIUM CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 2.5 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-49457

Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H 2.8 5.9
security@zoom.us 9.6 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 2.8 6.0

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-49458

Buffer overflow in certain Zoom Workplace Clients may allow an authenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-49460

Uncontrolled resource consumption in certain Zoom Workplace Clients may allow an unauthenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 3.9 3.6
security@zoom.us 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-49461

Cross-site scripting in certain Zoom Workplace Clients may allow an unauthenticated user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.4 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H 2.8 4.0
security@zoom.us 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L 2.8 1.4

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-49462

Cross-site scripting in certain Zoom Clients before version 6.4.5 may allow an authenticated user to conduct a disclosure of information via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 3.5 LOW CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N 2.1 1.4

Products Affected

Vendor Product Version
zoom zoom *
CVE-2025-49463

Insufficient control flow management in certain Zoom Clients for iOS before version 6.4.5 may allow an unauthenticated user to conduct a disclosure of information via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
zoom zoom *
CVE-2025-49464

Classic buffer overflow in certain Zoom Clients for Windows may allow an authorised user to conduct a denial of service via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H 2.8 3.6

Products Affected

Vendor Product Version
zoom zoom *
CVE-2025-58132

Command injection in some Zoom Clients for Windows may allow an authenticated user to conduct a disclosure of information via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N 2.3 1.4
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-58133

Authentication bypass in some Zoom Rooms Clients before version 6.5.1 may allow an unauthenticated user to conduct a disclosure of information via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
security@zoom.us 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N 1.6 3.6

Products Affected

Vendor Product Version
zoom rooms *
CVE-2025-58134

Incorrect authorization in certain Zoom Workplace Clients for Windows may allow an authenticated user to conduct an impact to integrity via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-58135

Improper action enforcement in certain Zoom Workplace Clients for Windows may allow an unauthenticated user to conduct a disclosure of information via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N 2.8 3.6
security@zoom.us 5.3 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N 1.6 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-62482

Cross-site scripting in Zoom Workplace for Windows before version 6.5.10 may allow an unauthenticated user to impact integrity via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N 2.8 1.4

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom meeting_software_development_kit *
CVE-2025-62483

Improper removal of sensitive information in certain Zoom Clients before version 6.5.10 may allow an unauthenticated user to conduct a disclosure of information via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-62484

Inefficient regular expression complexity in certain Zoom Workplace Clients before version 6.5.10 may allow an unauthenticated user to conduct an escalation of privilege via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
zoom workplace *
zoom meeting_software_development_kit *
CVE-2025-64738

External control of file name or path in Zoom Workplace for macOS before version 6.5.10 may allow an authenticated user to conduct a disclosure of information via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 5.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N 1.3 3.6

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom meeting_software_development_kit *
CVE-2025-64739

External control of file name or path in certain Zoom Clients may allow an unauthenticated user to conduct a disclosure of information via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N 2.8 1.4

Products Affected

Vendor Product Version
zoom workplace_desktop *
zoom rooms *
zoom rooms_controller *
zoom workplace_virtual_desktop_infrastructure *
zoom meeting_software_development_kit *
CVE-2025-64740

Improper verification of cryptographic signature in the installer for Zoom Workplace VDI Client for Windows may allow an authenticated user to conduct an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.5 HIGH CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H 0.8 6.0

Products Affected

Vendor Product Version
zoom workplace_virtual_desktop_infrastructure *
CVE-2025-64741

Improper authorization handling in Zoom Workplace for Android before version 6.5.10 may allow an unauthenticated user to conduct an escalation of privilege via network access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N 2.8 5.2

Products Affected

Vendor Product Version
zoom workplace *
zoom meeting_software_development_kit *
CVE-2025-67460

Protection Mechanism Failure of Software Downgrade in Zoom Rooms for Windows before 6.6.0 may allow an unauthenticated user to conduct an escalation of privilege via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 1.8 5.9

Products Affected

Vendor Product Version
zoom rooms *
CVE-2025-67461

External control of file name or path in Zoom Rooms for macOS before version 6.6.0 may allow an authenticated user to conduct a disclosure of information via local access.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
security@zoom.us 5.0 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N 1.3 3.6

Products Affected

Vendor Product Version
zoom rooms *