CVE-2023-36540
📋 TL;DR
This vulnerability in Zoom Desktop Client for Windows allows an authenticated local user to escalate privileges through an untrusted search path in the installer. Attackers could gain higher system permissions by placing malicious files in specific locations. Only Windows users with Zoom Desktop Client versions before 5.14.5 are affected.
💻 Affected Systems
- Zoom Desktop Client for Windows
📦 What is this software?
Zoom by Zoom
⚠️ Risk & Real-World Impact
Worst Case
Local authenticated attacker gains SYSTEM-level privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement.
Likely Case
Malicious insider or compromised user account escalates to administrator privileges, allowing installation of malware, credential harvesting, or disabling security controls.
If Mitigated
With proper access controls and least privilege principles, impact is limited to user-level compromise without system-wide effects.
🎯 Exploit Status
Exploitation requires local authenticated access and knowledge of the vulnerable search path mechanism.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.14.5 and later
Vendor Advisory: https://explore.zoom.us/en/trust/security/security-bulletin/
Restart Required: Yes
Instructions:
1. Open Zoom Desktop Client. 2. Click profile picture → Check for Updates. 3. Install version 5.14.5 or later. 4. Restart computer after installation.
🔧 Temporary Workarounds
Restrict local user privileges
windowsImplement least privilege access controls to limit damage from privilege escalation
Monitor installer directory permissions
windowsAudit and restrict write permissions to Zoom installation directories
🧯 If You Can't Patch
- Implement strict access controls and monitor for unusual privilege escalation attempts
- Segment networks to limit lateral movement from compromised systems
🔍 How to Verify
Check if Vulnerable:
Check Zoom version in Settings → About. If version is below 5.14.5, system is vulnerable.Check Version:
wmic product where name="Zoom" get versionVerify Fix Applied:
Confirm Zoom version is 5.14.5 or higher in Settings → About after update.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from Zoom installer paths
- Privilege escalation events in Windows Security logs
- Unexpected file writes to Zoom installation directories
Network Indicators:
- Unusual outbound connections following local privilege escalation
SIEM Query:
EventID=4688 AND (ProcessName LIKE "%zoom%" OR ParentProcessName LIKE "%zoom%") AND NewProcessName LIKE "%cmd%" OR NewProcessName LIKE "%powershell%")