Zoom Vulnerability Exploitable via Malicious Executables in User Paths (CVE-2025-49457)
August 21st, 2025
Critical
Our Cyber Threat Intelligence Unit has identified a critical vulnerability in Zoom Windows clients, tracked as CVE-2025-49457 with a CVSS score of 9.6. The flaw stems from an untrusted search path issue in specific Zoom products on Windows. Successful exploitation allows an attacker to escalate privileges.
Zoom has confirmed that multiple Windows-based products are affected, including Workplace, VDI, Rooms, Rooms Controller, and the Meeting SDK. The issue impacts versions before 6.3.10 (with exceptions for VDI 6.1.16 and 6.2.12). A security update (version 6.3.10) has been released to address the vulnerability.
Technical Details
Attack Type: Privilege Escalation
Severity: Critical (CVSS 9.6)
Delivery Method: Exploitation of vulnerable Zoom Windows client installations
Technique: Untrusted Search Path (CWE-426)
CVE ID: CVE-2025-49457
Affected Products:
Zoom Workplace for Windows (pre-6.3.10)
Zoom Workplace VDI for Windows (pre-6.3.10, except 6.1.16 and 6.2.12)
Zoom Rooms for Windows (pre-6.3.10)
Zoom Rooms Controller for Windows (pre-6.3.10)
Zoom Meeting SDK for Windows (pre-6.3.10)
Zoom stated that this flaw arises from the use of an untrusted search path in the affected Windows clients. If exploited, the vulnerability could allow attackers to escalate privileges.
Impact
Attackers can escalate privileges on vulnerable Windows systems by exploiting the untrusted search path flaw.
Successful exploitation could allow installation of malware, theft of sensitive data, or persistence on the device.
If Zoom runs with elevated rights, attackers could gain full system-level control.
A compromised endpoint can be used as a foothold for lateral movement within the network.
Given Zoom’s global adoption in enterprise environments, the flaw posed a major risk to business continuity and data security.
Detection Method
Check Zoom client versions across all Windows systems; any version earlier than 6.3.10 (except VDI 6.1.16 and 6.2.12) should be flagged as vulnerable.
Monitor for privilege escalation events triggered by the Zoom process (
Zoom.exe) on Windows systems.Audit Windows application logs for unusual loading behavior or errors linked to search path usage.
Use vulnerability scanners or patch management tools to verify Zoom update compliance.
Ensure centralized logging is enabled to track attempts of abnormal code execution associated with Zoom.
Indicators of Compromise
There are no Indicators of Compromise (IOCs) for this advisory.
Recommendations
Upgrade all affected Zoom Windows products to version 6.3.10 or later.
Ensure Zoom’s automatic update feature is turned on to stay protected against future vulnerabilities.
Apply least-privilege principles and restrict unnecessary application execution rights.
Implement a robust patch management policy to ensure applications are always running the most secure versions.
Track any attempts to exploit privilege escalation vulnerabilities in Windows environments.
Conclusion
The discovery of CVE-2025-49457 underscores the ongoing risk posed by privilege escalation flaws in widely used collaboration tools. Given Zoom’s prevalence across enterprises and individuals, timely patching is essential. Organizations should ensure that all Windows-based Zoom clients are upgraded to version 6.3.10 or later, enforce auto-updates, and monitor environments for any suspicious activity. Applying strong access controls and maintaining vigilance will help mitigate the risks associated with this critical vulnerability.