Cloud-based video conferencing and online collaboration platform Zoom addressed a critical security flaw, tracked as CVE-2025-49457 (CVSS score of 9.6) in Zoom Clients for Windows.
An unauthenticated user can exploit the vulnerability to conduct an escalation of privilege via network access.
“Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access.” reads the advisory published by the company.
The vulnerability impacts the following products:
Vulnerabilities in popular software like Zoom are dangerous because these platforms run on millions of personal and business devices worldwide and often hold sensitive conversations, corporate data, and meeting recordings.
When a flaw, like the CVE-2025-49457 privilege escalation bug, exists, threat actors can:
Attackers target Zoom because its massive global user base makes it a high-value target, and its status as trusted software means malicious actions through it are less likely to raise suspicion. Additionally, Zoom can serve as an entry point into well-secured organizations that might otherwise have limited avenues for remote access.
In November 2024, Zoom addressed six vulnerabilities in its video conferencing and communication platform. Two of these vulnerabilities, tracked as CVE-2024-45421 and CVE-2024-45419, are high-severity issues that remote attackers could exploit to escalate privileges or leak sensitive information.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, privilege escalation)