CVE-2023-34120
📋 TL;DR
This vulnerability allows authenticated users on Windows systems to escalate privileges by leveraging Zoom client's elevated system permissions to spawn processes with higher privileges. It affects Zoom for Windows, Zoom Rooms for Windows, and Zoom VDI for Windows clients. Users with local access to vulnerable systems can potentially gain administrative control.
💻 Affected Systems
- Zoom for Windows
- Zoom Rooms for Windows
- Zoom VDI for Windows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with authenticated local access could gain full SYSTEM/administrator privileges, install malware, exfiltrate sensitive data, or establish persistent backdoors on the compromised system.
Likely Case
Malicious insiders or attackers who have gained initial access could escalate privileges to bypass security controls, install additional tools, or move laterally within the network.
If Mitigated
With proper endpoint security controls and least privilege principles, the impact is limited to the local system and cannot be exploited remotely without initial access.
🎯 Exploit Status
Exploitation requires authenticated local access but appears straightforward once access is obtained. No public exploit code has been identified at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.14.0 and later
Vendor Advisory: https://explore.zoom.us/en/trust/security/security-bulletin/
Restart Required: Yes
Instructions:
1. Open Zoom client. 2. Click profile picture. 3. Select 'Check for Updates'. 4. Install version 5.14.0 or later. 5. Restart the Zoom client. For managed deployments, deploy the updated MSI package through your endpoint management system.
🔧 Temporary Workarounds
Remove Local Admin Rights
windowsRun Zoom client with standard user privileges instead of administrative rights to limit privilege escalation potential.
# Configure via Group Policy or endpoint management to run Zoom without admin rights
Application Control Restrictions
windowsUse application whitelisting to prevent unauthorized process spawning from Zoom executable.
# Configure Windows Defender Application Control or third-party application control solution
🧯 If You Can't Patch
- Uninstall vulnerable Zoom versions from high-risk systems
- Implement strict endpoint detection and response (EDR) monitoring for suspicious process spawning from Zoom executables
🔍 How to Verify
Check if Vulnerable:
Check Zoom client version in Settings > About. If version is below 5.14.0, the system is vulnerable.Check Version:
wmic product where "name like 'Zoom%'" get versionVerify Fix Applied:
Confirm Zoom client version is 5.14.0 or higher in Settings > About. Test that Zoom functions normally without requiring administrative privileges for standard operations.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing Zoom.exe spawning processes with elevated privileges
- Security logs showing unexpected privilege escalation events from Zoom context
Network Indicators:
- Unusual outbound connections from Zoom processes to external IPs
- Lateral movement attempts originating from systems running vulnerable Zoom versions
SIEM Query:
source="Windows Security" EventID=4688 ProcessName="*Zoom*" AND NewProcessName!="*Zoom*" AND IntegrityLevel="High"