CVE-2021-30480 – This vulnerability allows remote authenticated ... (How to Fix)

Q: What is the severity of CVE-2021-30480?

CVE-2021-30480 has a CVSS score of 8.5 (HIGH). This vulnerability allows remote authenticated attackers within the same Zoom organization or accepted external contacts to execute arbitrary code on Windows and macOS systems running vulnerable Zoom Chat software. The exploit requires no user interaction, enabling potential complete system compromise. Only Zoom Chat (separate from Zoom Meetings chat) is affected.

📋 TL;DR

This vulnerability allows remote authenticated attackers within the same Zoom organization or accepted external contacts to execute arbitrary code on Windows and macOS systems running vulnerable Zoom Chat software. The exploit requires no user interaction, enabling potential complete system compromise. Only Zoom Chat (separate from Zoom Meetings chat) is affected.

💻 Affected Systems

Products:

Zoom Chat

Versions: All versions through April 9, 2021

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Zoom Chat standalone software, not the chat feature in Zoom Meetings or Zoom Video Webinars. Requires attacker to be authenticated within same organization or accepted as external contact.

📦 What is this software?

Chat by Zoom

View all CVEs affecting Chat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover with attacker gaining full control of the victim's computer, installing malware, stealing data, and moving laterally within the network.

🟠

Likely Case

Targeted attacks against specific individuals within organizations, leading to data theft, surveillance, or ransomware deployment.

🟢

If Mitigated

Limited impact due to network segmentation, endpoint protection, and restricted contact lists preventing unauthorized access.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated access but no user interaction. Zero-day was discovered and reported through ZDI program with $200,000 bounty.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after April 9, 2021

Vendor Advisory: https://explore.zoom.us/en/trust/security/security-bulletin/

Restart Required: Yes

Instructions:

1. Open Zoom Chat application. 2. Click your profile picture. 3. Select 'Check for Updates'. 4. Install any available updates. 5. Restart Zoom Chat. Alternatively, download latest version from Zoom website.

🔧 Temporary Workarounds

Disable Zoom Chat

windows

Uninstall or disable Zoom Chat application if not required for business operations

Control Panel > Programs > Uninstall a program > Select Zoom Chat > Uninstall

Restrict External Contacts

all

Limit ability for users to accept external contacts through administrative controls

🧯 If You Can't Patch

Implement network segmentation to isolate Zoom Chat traffic and limit lateral movement
Deploy endpoint detection and response (EDR) solutions to detect and block suspicious process execution

🔍 How to Verify

Check if Vulnerable:

Check Zoom Chat version: Open Zoom Chat > Click profile picture > About Zoom Chat. If version date is April 9, 2021 or earlier, system is vulnerable.

Check Version:

On Windows: Check Add/Remove Programs for Zoom Chat version. On macOS: Applications folder > Right-click Zoom Chat > Get Info.

Verify Fix Applied:

Verify Zoom Chat version shows date after April 9, 2021 in About dialog. Check that application updates successfully.

📡 Detection & Monitoring

Log Indicators:

Unusual process execution from Zoom Chat directory
Suspicious network connections initiated by Zoom Chat process

Network Indicators:

Anomalous outbound connections from Zoom Chat to unexpected destinations
Command and control traffic patterns

SIEM Query:

process_name="Zoom Chat" AND (process_execution_anomaly=TRUE OR network_connection_anomaly=TRUE)

📊 Metadata

CVE ID: CVE-2021-30480

CVSS v3 Score: 8.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Published: April 9, 2021

Last Updated: November 21, 2024

🔗 References

https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/zoom-zero-day-discovery-makes-calls-safer-hackers-200000-richer/ Third Party Advisory
https://explore.zoom.us/en/trust/security/security-bulletin/ Vendor Advisory
https://sector7.computest.nl/post/2021-08-zoom/ Exploit,Third Party Advisory
https://twitter.com/thezdi/status/1379855435730149378 Third Party Advisory
https://twitter.com/thezdi/status/1379859851061395459 Third Party Advisory
https://www.securityweek.com/200000-awarded-zero-click-zoom-exploit-pwn2own Press/Media Coverage,Third Party Advisory
https://www.zdnet.com/article/critical-zoom-vulnerability-triggers-remote-code-execution-without-user-input/ Press/Media Coverage,Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-971/ Third Party Advisory,VDB Entry
https://zoom.us/feature/messaging Product,Vendor Advisory
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/zoom-zero-day-discovery-makes-calls-safer-hackers-200000-richer/ Third Party Advisory
https://explore.zoom.us/en/trust/security/security-bulletin/ Vendor Advisory
https://sector7.computest.nl/post/2021-08-zoom/ Exploit,Third Party Advisory
https://twitter.com/thezdi/status/1379855435730149378 Third Party Advisory
https://twitter.com/thezdi/status/1379859851061395459 Third Party Advisory
https://www.securityweek.com/200000-awarded-zero-click-zoom-exploit-pwn2own Press/Media Coverage,Third Party Advisory
https://www.zdnet.com/article/critical-zoom-vulnerability-triggers-remote-code-execution-without-user-input/ Press/Media Coverage,Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-971/ Third Party Advisory,VDB Entry
https://zoom.us/feature/messaging Product,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON