A critical vulnerability has been identified in certain Zoom Clients for Windows, designated CVE-2025-49457. This flaw allows an unauthenticated attacker with network access to escalate privileges on a victim's computer, potentially leading to a full system compromise. Given the widespread use of Zoom, this vulnerability poses a significant risk of data theft, ransomware deployment, and further network intrusion.

The vulnerability exists due to an untrusted search path flaw, commonly known as DLL hijacking. The Zoom Client application attempts to load a required library (DLL file) without specifying its full, absolute path. An attacker can exploit this by placing a malicious DLL with the same name in a location that the application searches before the legitimate directory, such as an attacker-controlled network share. When a user launches Zoom or triggers a specific function, the application inadvertently loads and executes the attacker's malicious code, granting the attacker code execution with the permissions of the Zoom user, which can then be used to escalate privileges on the system.

This vulnerability is rated as critical severity with a CVSS score of 9.6. Successful exploitation by an unauthenticated network attacker could lead to a complete takeover of the affected user's workstation. The potential consequences include theft of sensitive data discussed or shared via Zoom, unauthorized access to local files, deployment of ransomware, and using the compromised machine as a pivot point to attack other systems on the corporate network. The widespread deployment of Zoom across the organization magnifies the risk, potentially enabling a large-scale security incident from a single vulnerability.

Immediate Action: The primary remediation is to update all affected Zoom Clients for Windows to the latest patched version provided by the vendor. System administrators must prioritize the deployment of this update across all corporate workstations. Following the update, continue to monitor for any signs of exploitation attempts and review system and application access logs for suspicious activity.

Proactive Monitoring: Implement enhanced monitoring to detect potential exploitation attempts. Security teams should look for Zoom processes (Zoom.exe) loading DLLs from non-standard locations, particularly from network shares (SMB/CIFS). Monitor for unusual child processes spawned by Zoom, unexpected network connections, and file modifications originating from the Zoom process using an Endpoint Detection and Response (EDR) solution.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Use application control solutions (e.g., AppLocker) to restrict which DLLs the Zoom application is permitted to load.
• Restrict or block outbound SMB traffic (TCP port 445) from workstations to non-essential network locations to prevent the loading of malicious libraries from remote shares.
• Ensure endpoint security solutions (EDR/XDR) are in place and configured to detect and block anomalous process behaviors, such as those indicative of DLL hijacking.

Public Exploit Available: false

This vulnerability represents a critical risk to the organization. Given the CVSS score of 9.6 and the potential for an unauthenticated attacker to achieve privilege escalation over the network, immediate action is required. Although this CVE is not currently listed on the CISA KEV catalog, its high severity makes it a likely candidate for future inclusion. We strongly recommend that all system owners prioritize the deployment of the vendor-supplied patch for CVE-2025-49457 with the utmost urgency to prevent potential system compromise.