A high-severity vulnerability has been identified in the installer for the Zoom Workplace VDI Client for Windows. This flaw allows a user who is already logged into a workstation to gain elevated administrative privileges by exploiting improper signature verification. Successful exploitation could lead to a complete system compromise, enabling an attacker to install malware, steal sensitive data, and disrupt business operations.

The vulnerability exists within the installer component of the Zoom Workplace VDI Client. The installer fails to properly verify the cryptographic signature of all its components before execution. An attacker with local access to a system and standard user permissions could replace a legitimate file used by the installer with a malicious payload. When a privileged user or an automated deployment system runs the installer, the malicious payload is executed with the elevated permissions of the installer process, resulting in a local privilege escalation.

This vulnerability is rated as high severity with a CVSS score of 7.5. Exploitation allows an attacker to escalate their privileges from a standard user to a system administrator. This level of access could lead to severe consequences, including the deployment of ransomware, theft of confidential company data, installation of persistent backdoors for long-term access, and the ability to pivot to other critical systems on the corporate network. The direct risks to the organization include data breaches, regulatory fines, reputational damage, and significant operational downtime.

Immediate Action:

• Identify all Windows endpoints running the vulnerable Zoom Workplace VDI Client.
• Deploy the security updates provided by Zoom across all affected systems immediately to patch the vulnerability.
• Prioritize patching for systems used by privileged users and those handling sensitive data.

Proactive Monitoring:

• Monitor Windows Security Event Logs for anomalous privilege escalation events (e.g., Event ID 4672) and suspicious process creation originating from the Zoom installer process.
• Implement file integrity monitoring on directories where the Zoom installer unpacks its temporary files to detect unauthorized modifications.
• Review logs from Endpoint Detection and Response (EDR) solutions for any unusual behavior associated with Zoom processes, such as unexpected network connections or child processes being spawned.

Compensating Controls:

• Enforce the Principle of Least Privilege by ensuring that standard users do not have administrative rights on their workstations.
• Utilize application control or whitelisting solutions to prevent the execution of unauthorized executables from temporary or user-writable directories.
• Restrict user permissions to prevent writing files to system-level directories where installer components might be placed.

Public Exploit Available: false

Given the high severity (CVSS 7.5) of this vulnerability and its potential for complete system compromise, it is strongly recommended that the organization prioritize the immediate deployment of the vendor-supplied patches. Although there is no current evidence of active exploitation and it is not listed in the CISA KEV catalog, the risk of a local attacker gaining administrative control is significant. If immediate patching is not feasible, the compensating controls listed above should be implemented to reduce the attack surface and mitigate the risk of exploitation.