Summary
A critical vulnerability (CVE-2023-49647) has been identified in Zoom products, exposing the potential for threat actors to exploit it for activities such as denial of service, privilege escalation and unauthorized disclosure of sensitive information on impacted systems. This jeopardizes the confidentiality and integrity of Zoom sessions and user data, underscoring the urgency to implement essential measures to effectively mitigate this threat.
Description & Consequence
The identified vulnerability in Zoom products are due to improper authentication, path traversal, improper access control and cryptograph. Precisely, an Improper Access Control vulnerability exists in Zoom Desktop Client, Zoom VDI Client, and Zoom SDKs for Windows. The vulnerability allows an unauthenticated user to conduct an escalation of privilege via local access, potentially leading to unauthorized actions, such as modifying system settings, installing malware, or accessing sensitive data. Some of the affected products identified include:
- Zoom Desktop Client for Windows before version 5.16.10
- VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 5.15.12)
- Zoom Video SDK for Windows before version 5.16.10.
- Zoom Meeting SDK for Windows before version 5.16.10s
Successful exploitation of this vulnerability could result in the following:
- Data exfiltration.
- Execution of malware on systems.
- Launch of DoS or DDoS attacks.
- Further compromise of individual or organizations communication.
Solution
Users can help keep themselves secure by Upgrading to version 5.16.10 which eliminates this vulnerability or downloading the latest Zoom software with all current security updates from https://zoom.us/download.
Reference
Revision