CVE-2025-0145
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in Zoom Workplace Apps for Windows installers. An authorized user with local access can exploit an untrusted search path to gain elevated privileges. Only Windows users running vulnerable Zoom Workplace Apps are affected.
💻 Affected Systems
- Zoom Workplace Apps for Windows
📦 What is this software?
Rooms by Zoom
⚠️ Risk & Real-World Impact
Worst Case
An authenticated local attacker gains SYSTEM/administrator privileges on the Windows machine, enabling complete system compromise, data theft, and persistence.
Likely Case
A local user with standard privileges escalates to administrator rights, allowing installation of malware, configuration changes, or access to other user data.
If Mitigated
With proper access controls and least privilege principles, impact is limited to the local machine only, preventing lateral movement or domain compromise.
🎯 Exploit Status
Exploitation requires local access and standard user privileges; search path vulnerabilities are typically straightforward to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Zoom advisory ZSB-25004 for patched versions
Vendor Advisory: https://www.zoom.com/en/trust/security-bulletin/zsb-25004/
Restart Required: Yes
Instructions:
1. Visit Zoom's security advisory ZSB-25004. 2. Identify patched versions. 3. Update Zoom Workplace Apps to latest version. 4. Restart system if prompted.
🔧 Temporary Workarounds
Restrict local user privileges
windowsApply least privilege principles to limit standard users' ability to execute installers or write to system directories.
Monitor installer execution
windowsUse application control policies to monitor and restrict installer execution from untrusted locations.
🧯 If You Can't Patch
- Implement strict least privilege access controls to limit standard users' permissions
- Monitor for suspicious process creation events and installer executions from unusual locations
🔍 How to Verify
Check if Vulnerable:
Check Zoom version against vulnerable versions listed in Zoom advisory ZSB-25004Check Version:
In Zoom app: Settings > About > VersionVerify Fix Applied:
Verify Zoom Workplace Apps version is updated to patched version specified in Zoom advisory📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing Zoom installer execution from unusual paths
- Process creation events for Zoom installers with elevated privileges
Network Indicators:
- No network indicators - this is local exploitation only
SIEM Query:
EventID=4688 AND ProcessName LIKE '%zoom%installer%' AND IntegrityLevel='High'