CVE-2025-30662
📋 TL;DR
This vulnerability in Zoom Workplace VDI Plugin macOS Universal installer allows authenticated users to follow symbolic links during installation, potentially leading to information disclosure via network access. It affects macOS users running vulnerable versions of the Zoom VDI Plugin installer. The attacker must have local authenticated access to exploit this vulnerability.
💻 Affected Systems
- Zoom Workplace VDI Plugin macOS Universal installer
📦 What is this software?
Workplace Virtual Desktop Infrastructure by Zoom
View all CVEs affecting Workplace Virtual Desktop Infrastructure →
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could read sensitive files on the system by creating symbolic links that point to restricted files, potentially exposing credentials, configuration files, or other sensitive data.
Likely Case
Local authenticated user gains unauthorized read access to files they shouldn't normally be able to access, potentially exposing user data or system information.
If Mitigated
With proper access controls and file permissions, the impact is limited to files the user already has some level of access to, reducing the severity of information disclosure.
🎯 Exploit Status
Exploitation requires the attacker to have local authenticated access and be able to run or influence the installer process.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 6.3.14, 6.4.14, or 6.5.10 depending on your track
Vendor Advisory: https://www.zoom.com/en/trust/security-bulletin/zsb-25045
Restart Required: No
Instructions:
1. Open Zoom Workplace application. 2. Go to Settings > About. 3. Check current version. 4. If vulnerable, download and install the latest version from zoom.us/download. 5. Verify installation completed successfully.
🔧 Temporary Workarounds
Restrict installer execution
macOSLimit who can execute the Zoom VDI Plugin installer to trusted administrators only
chmod 750 /path/to/zoom-installer
sudo chown root:admin /path/to/zoom-installer
Monitor symbolic link creation
macOSImplement monitoring for suspicious symbolic link creation in temporary directories
sudo auditctl -w /tmp -p wa -k zoom_symlink
sudo auditctl -w /var/tmp -p wa -k zoom_symlink
🧯 If You Can't Patch
- Restrict local user accounts and implement least privilege access controls
- Monitor for unusual file access patterns and symbolic link creation in installer directories
🔍 How to Verify
Check if Vulnerable:
Check Zoom version in Settings > About. If version is below 6.3.14, 6.4.14, or 6.5.10 (depending on track), you are vulnerable.Check Version:
defaults read /Applications/zoom.us.app/Contents/Info.plist CFBundleShortVersionStringVerify Fix Applied:
After updating, verify version shows 6.3.14, 6.4.14, or 6.5.10 or higher in Settings > About.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns during Zoom installation
- Multiple symbolic link creations in temporary directories
- Zoom installer running with unexpected file operations
Network Indicators:
- Unusual outbound data transfers following Zoom installation
- SMB or other file sharing protocols accessing unexpected files
SIEM Query:
process_name="installer" AND file_path="*zoom*" AND file_operation="symlink"