CVE-2023-36537
📋 TL;DR
This vulnerability in Zoom Rooms for Windows allows authenticated local users to escalate their privileges on the system. Attackers with standard user accounts could gain administrative access. Only Windows installations of Zoom Rooms before version 5.14.5 are affected.
💻 Affected Systems
- Zoom Rooms for Windows
📦 What is this software?
Rooms by Zoom
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker gains full administrative control over the Windows system, enabling installation of malware, data theft, or persistence mechanisms.
Likely Case
Malicious insider or compromised user account escalates to admin privileges to bypass security controls or install unauthorized software.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated systems with quick detection and remediation.
🎯 Exploit Status
Requires authenticated local access but likely straightforward to exploit once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.14.5
Vendor Advisory: https://explore.zoom.us/en/trust/security/security-bulletin/
Restart Required: Yes
Instructions:
1. Download Zoom Rooms for Windows version 5.14.5 or later from Zoom's official website. 2. Run the installer as administrator. 3. Follow installation prompts. 4. Restart the system after installation completes.
🔧 Temporary Workarounds
Restrict Local Access
windowsLimit physical and remote access to systems running Zoom Rooms to authorized administrators only.
User Account Control
windowsEnsure User Account Control (UAC) is enabled and configured to prompt for credentials for administrative tasks.
🧯 If You Can't Patch
- Isolate affected systems from critical network segments and restrict access to essential personnel only.
- Implement enhanced monitoring for privilege escalation attempts and unusual administrative activity.
🔍 How to Verify
Check if Vulnerable:
Check Zoom Rooms version in the application's About section or via Windows Programs and Features.Check Version:
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName -like "*Zoom Rooms*"} | Select-Object DisplayName, DisplayVersionVerify Fix Applied:
Confirm Zoom Rooms version is 5.14.5 or later in the application's About section.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing unexpected privilege escalation, Zoom Rooms process spawning with elevated privileges, or unusual administrative account usage.
Network Indicators:
- Unusual outbound connections from Zoom Rooms systems, particularly to known malicious domains or unexpected destinations.
SIEM Query:
EventID=4688 AND ProcessName="ZoomRooms.exe" AND NewProcessName contains "cmd.exe" OR "powershell.exe"