CVE-2022-22781 – This vulnerability in Zoom Client for MacOS all... (How to Fix)

Q: What is the severity of CVE-2022-22781?

CVE-2022-22781 has a CVSS score of 7.5 (HIGH). This vulnerability in Zoom Client for MacOS allows attackers to downgrade users to older, less secure versions during the update process. It affects MacOS users running Zoom Client versions prior to 5.9.6. An attacker could exploit this to introduce known vulnerabilities that were previously patched.

📋 TL;DR

This vulnerability in Zoom Client for MacOS allows attackers to downgrade users to older, less secure versions during the update process. It affects MacOS users running Zoom Client versions prior to 5.9.6. An attacker could exploit this to introduce known vulnerabilities that were previously patched.

💻 Affected Systems

Products:

Zoom Client for Meetings (Standard)
Zoom Client for Meetings (for IT Admin)

Versions: All versions prior to 5.9.6

Operating Systems: macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects MacOS clients; Windows, Linux, mobile, and web clients are not affected.

📦 What is this software?

Meetings by Zoom

View all CVEs affecting Meetings →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could downgrade users to versions with known critical vulnerabilities (like RCE or privilege escalation), then chain exploits to gain full system control.

🟠

Likely Case

Attackers downgrade to versions with moderate vulnerabilities to steal credentials, access meetings, or install malware.

🟢

If Mitigated

With proper patching, the vulnerability is eliminated; with network controls, exploitation attempts can be blocked.

🌐 Internet-Facing: MEDIUM - Requires user interaction (initiating update) and network access, but could be triggered via phishing.

🏢 Internal Only: LOW - Primarily requires external attacker interaction; internal threats would need specific targeting.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires tricking user into updating (e.g., via phishing) and controlling update server responses; no public exploits known.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.9.6 and later

Vendor Advisory: https://explore.zoom.us/en/trust/security/security-bulletin/

Restart Required: Yes

Instructions:

1. Open Zoom Client. 2. Click your profile picture. 3. Select 'Check for Updates'. 4. If update to 5.9.6+ is available, install it. 5. Restart Zoom after installation.

🔧 Temporary Workarounds

Disable Automatic Updates

macOS

Prevent Zoom from automatically checking for updates to block downgrade attempts.

Zoom settings → General → uncheck 'Automatically keep Zoom updated'

Network Block Update Servers

all

Block Zoom update servers at firewall to prevent malicious update responses.

Block domains: *.zoom.us, *.cloudfront.net (update endpoints)

🧯 If You Can't Patch

Monitor for unusual update prompts or version changes in Zoom logs.
Educate users to avoid updating Zoom via untrusted links or prompts.

🔍 How to Verify

Check if Vulnerable:

Check Zoom version in app: Click profile picture → About Zoom. If version is below 5.9.6, it's vulnerable.

Check Version:

/Applications/zoom.us.app/Contents/MacOS/zoom.us --version (may vary)

Verify Fix Applied:

Confirm version is 5.9.6 or higher in About Zoom dialog.

📡 Detection & Monitoring

Log Indicators:

Zoom logs showing update to version below 5.9.6
Unexpected update prompts in system logs

Network Indicators:

HTTP requests to Zoom update servers with unusual version strings
DNS queries to Zoom domains from unexpected sources

SIEM Query:

source="zoom.log" AND ("update" OR "downgrade") AND version<"5.9.6"

📊 Metadata

CVE ID: CVE-2022-22781

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-354

Published: April 28, 2022

Last Updated: November 21, 2024

🔗 References

https://explore.zoom.us/en/trust/security/security-bulletin/ Vendor Advisory
https://explore.zoom.us/en/trust/security/security-bulletin/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-22781, you might also want to check these: