Skip to content Dark Web Informer - Cyber Threat Intelligence
Support
Sign In Subscribe
Vulnerabilities

CVE-2025-49457: Zoom Clients for Windows: Untrusted Search Path Vulnerability

 and  Dark Web Informer
1 min read

CVE ID: CVE-2025-49457
CVSS v3.1: 9.6 Critical (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)
Publish Date: August 12, 2025

TL;DR

Certain Zoom Clients for Windows have a critical untrusted search path vulnerability. This flaw allows a remote, unauthenticated attacker to escalate privileges by making the client load malicious DLL files from locations such as network shares. Zoom has released patched versions, so updating is strongly recommended.

Affected Versions

  • Zoom Workplace for Windows before 6.3.10
  • Zoom Workplace VDI for Windows before 6.3.10 (except 6.1.16 and 6.2.12)
  • Zoom Rooms for Windows before 6.3.10
  • Zoom Rooms Controller for Windows before 6.3.10
  • Zoom Meeting SDK for Windows before 6.3.10

Vulnerability Details

  • Type: Untrusted search path / DLL hijacking (CWE 426)
  • Description: Zoom improperly handles the loading of DLL files. An attacker can place a malicious DLL in a location that Zoom prioritizes in its search order, such as a network share. When Zoom loads this DLL, the attacker’s code executes with elevated privileges.
  • Impact: Privilege escalation with the ability to execute arbitrary code using Zoom’s permissions.
  1. Update all Zoom Windows clients to version 6.3.10 or later.
  2. Until patching is complete:
    • Avoid using Zoom from untrusted network shares or directories.
    • Use Group Policy or AppLocker to restrict DLL loading to trusted locations.
    • Monitor file system and network activity for suspicious DLL placements.

Affected Environments

  • Any Windows system running Zoom that has access to shared or network directories.
  • Virtual desktop infrastructure (VDI) environments and shared enterprise systems are particularly at risk.

TTPs (MITRE Alignment)

  • Initial Access / Execution: Path interception by placing malicious DLL files in a location loaded by the application (T1574.007).
  • Privilege Escalation: Execution of attacker controlled code with elevated permissions.

References

Related

Latest