- Zoom warns multiple versions of its Windows client is vulnerable
- A security error can be used to fully take over target points
- ZOOM ADVISES AT ATTAINED ADDRESS SUPPORT so users need to update now
Zoom has patched a critical severity that could have enabled threat actors to escalate their privileges over the network.
The online collaboration tool found that the Windows application does not always use explicit full trails when loading dynamic libraries (DLLs). Instead, it depends on Windows’ default search order, which means that if an attacker was to place a malicious dll in the right place, zoom can load and perform it. It corresponds to the bring-your-oven-vulnerable-driver-type attack, though not identical.
So if DLL triggers the installation of renewable malware such as back doors or ransomware, and if ZOOM runs with elevated privileges, the threat actors could in theory take over the entire end point.
Debian, Fedora and others
In other scenarios, the vulnerability could be used to harvest sensitive files such as meeting recordings, contact lists, credentials and the like. They could also turn deeper into the corporate network and reach domain controllers or high value systems.
The worst part of abusing this error is that it does not require any approval and can be described as low in complexity. All threat actors need is a path that the target unit trusts and not even requires advanced skills – just placing the malicious DLL in a strategic place.
The vulnerability affecting the Windows client is tracked as CVE-2025-49457 and has a severity of 9.6/10 (critical).
Zoom’s spread in business, especially since the Covid-19 pandemic, means that the attack surface is quite large.
Affected products include zoom work space for Windows before version 6.3.10, ZOOM WORKPLACE VDI for Windows before version 6.3.10 (except 6.1.16 and 6.2.12), ZOOMPRUM for Windows before version 6.3.10.
A patch is already available and users are advised to apply it as soon as possible.
