Missing authorization in the installer for Zoom Workplace for Windows on ARM before version 6
Description
Missing authorization in the installer for Zoom Workplace for Windows on ARM before version 6
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Executive Summary:
A critical vulnerability has been identified in certain Zoom Clients for Windows, designated CVE-2025-49457. This flaw allows an unauthenticated attacker with network access to escalate privileges on a victim's computer, potentially leading to a full system compromise. Given the widespread use of Zoom, this vulnerability poses a significant risk of data theft, ransomware deployment, and further network intrusion.
Vulnerability Details
CVE-ID: CVE-2025-49457
Affected Software: Certain Zoom Clients for Windows (Multiple Products)
Affected Versions: See vendor advisory for specific affected versions.
Vulnerability: The vulnerability exists due to an untrusted search path flaw, commonly known as DLL hijacking. The Zoom Client application attempts to load a required library (DLL file) without specifying its full, absolute path. An attacker can exploit this by placing a malicious DLL with the same name in a location that the application searches before the legitimate directory, such as an attacker-controlled network share. When a user launches Zoom or triggers a specific function, the application inadvertently loads and executes the attacker's malicious code, granting the attacker code execution with the permissions of the Zoom user, which can then be used to escalate privileges on the system.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.6. Successful exploitation by an unauthenticated network attacker could lead to a complete takeover of the affected user's workstation. The potential consequences include theft of sensitive data discussed or shared via Zoom, unauthorized access to local files, deployment of ransomware, and using the compromised machine as a pivot point to attack other systems on the corporate network. The widespread deployment of Zoom across the organization magnifies the risk, potentially enabling a large-scale security incident from a single vulnerability.
Remediation Plan
Immediate Action: The primary remediation is to update all affected Zoom Clients for Windows to the latest patched version provided by the vendor. System administrators must prioritize the deployment of this update across all corporate workstations. Following the update, continue to monitor for any signs of exploitation attempts and review system and application access logs for suspicious activity.
Proactive Monitoring: Implement enhanced monitoring to detect potential exploitation attempts. Security teams should look for Zoom processes (
Zoom.exe) loading DLLs from non-standard locations, particularly from network shares (SMB/CIFS). Monitor for unusual child processes spawned by Zoom, unexpected network connections, and file modifications originating from the Zoom process using an Endpoint Detection and Response (EDR) solution.Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of August 12, 2025, there is no known public proof-of-concept exploit code, and the vulnerability is not reported to be actively exploited in the wild. However, due to the critical severity and the ubiquity of the affected software, it is highly probable that threat actors will reverse-engineer the patch to develop an exploit in the near future.
Analyst Recommendation
This vulnerability represents a critical risk to the organization. Given the CVSS score of 9.6 and the potential for an unauthenticated attacker to achieve privilege escalation over the network, immediate action is required. Although this CVE is not currently listed on the CISA KEV catalog, its high severity makes it a likely candidate for future inclusion. We strongly recommend that all system owners prioritize the deployment of the vendor-supplied patch for CVE-2025-49457 with the utmost urgency to prevent potential system compromise.