CVE-2024-27244
📋 TL;DR
This vulnerability in Zoom Workplace VDI App for Windows allows authenticated local users to escalate privileges due to insufficient verification of data authenticity in the installer. Attackers could gain elevated system permissions. Only affects Windows users running the vulnerable Zoom VDI application.
💻 Affected Systems
- Zoom Workplace VDI App for Windows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local authenticated attacker gains SYSTEM-level privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement.
Likely Case
Malicious insider or compromised account escalates to administrator privileges to install malware, modify system settings, or access sensitive data.
If Mitigated
With proper access controls and monitoring, impact limited to isolated systems with quick detection and remediation.
🎯 Exploit Status
Requires local authenticated access but exploitation appears straightforward based on CWE-347 (Insufficient Verification of Data Authenticity).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.17.10 or later
Vendor Advisory: https://www.zoom.com/en/trust/security-bulletin/zsb-24015/
Restart Required: Yes
Instructions:
1. Open Zoom Workplace VDI App. 2. Click profile picture → Check for Updates. 3. Install update to version 5.17.10+. 4. Restart computer. 5. Verify version in Settings → About.
🔧 Temporary Workarounds
Restrict Local Access
windowsLimit local authenticated access to systems with Zoom VDI installed to trusted users only.
Disable Zoom VDI App
windowsUninstall or disable Zoom Workplace VDI App if not required for business operations.
Control Panel → Programs → Uninstall a program → Select Zoom Workplace VDI → Uninstall
🧯 If You Can't Patch
- Implement strict least privilege access controls to limit local authenticated users
- Enable detailed logging and monitoring for privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Open Zoom Workplace VDI App → Settings → About → Check if version is below 5.17.10Check Version:
wmic product where name="Zoom Workplace VDI" get versionVerify Fix Applied:
Confirm version is 5.17.10 or higher in Settings → About📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs: Process creation with elevated privileges from Zoom installer
- Zoom application logs showing unusual installer activity
Network Indicators:
- None - local privilege escalation only
SIEM Query:
EventID=4688 AND (ProcessName="Zoom*" OR CommandLine LIKE "%Zoom%") AND NewProcessName="*" AND TokenElevationType="%%1937"