Zoom conference tool: Critical security vulnerability in Windows clients
There is a critical security gap in the Windows clients of the Zoom conferencing software. Updates are available to plug it.
(Image: fizkes/Shutterstock.com)
Zoom has reported two security vulnerabilities in Windows clients. They allow attackers from the network to extend their rights without prior login. The company is providing updates to patch the vulnerabilities.
Zoom classifies the more serious vulnerability as a critical threat. According to Zoom's security announcement, it stems from an untrusted search path. “This may allow unauthenticated users to perform privilege escalation via network access,” the company's developers explain there (CVE-2025-49457 / EUVD-2025-24529, CVSS 9.6, risk “critical”). However, they do not provide any details on what attacks could look like.
Moderately serious vulnerability
The developers have also ironed out a race condition in the software. In a somewhat convoluted way, Zoom states in the associated security notice that unauthenticated users can “affect the integrity with local access” of this vulnerability in the installer of certain Zoom clients for Windows (CVE-2025-49456 / EUVD-2025-24528, CVSS 6.2, risk “medium”). Here too, it remains unclear how attackers can actually abuse this vulnerability.
Videos by heise
The critical vulnerability seals version 6.3.10 of Zoom Workplace for Windows, Zoom Workplace VDI for Windows (versions 6.1.16 and 6.2.12 are not vulnerable here), Zoom Rooms for Windows, Zoom Rooms Controller for Windows, and finally Zoom Meeting SDK for Windows. The race condition is ironed out by the versions Zoom Workplace 6.4.10, Zoom Workplace VDI for Windows 6.3.12 (6.2.15 is not vulnerable), Zoom Rooms and the Rooms Controller for Windows 6.4.5, as well as the Zoom Meeting SDK for Windows 6.4.10.
The latest software is available for download on the Zoom download page. Due to the severity, IT managers should update to the latest version of the conferencing software as soon as possible.
Vulnerabilities in Zoom web conferencing software were last discovered in May. There, too, attackers were able to extend their rights in the system due to a race condition.
(dmk)
