CVE-2025-49457
📋 TL;DR
This vulnerability allows an unauthenticated attacker on the same network to escalate privileges on Windows systems running vulnerable Zoom clients. Attackers can exploit an untrusted search path issue to execute arbitrary code with higher privileges than intended. All Windows Zoom client users with affected versions are at risk.
💻 Affected Systems
- Zoom Client for Windows
📦 What is this software?
Rooms by Zoom
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attacker gains SYSTEM/administrator privileges, installs persistent malware, steals credentials, and moves laterally across the network.
Likely Case
Local privilege escalation allowing attacker to install additional malware, modify system settings, or access sensitive data on the compromised machine.
If Mitigated
Limited impact if network segmentation prevents unauthorized network access and endpoint protection blocks suspicious process execution.
🎯 Exploit Status
Exploitation requires network access but no authentication. CWE-426 indicates DLL hijacking/search order vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Zoom's security bulletin ZSB-25030 for patched versions
Vendor Advisory: https://www.zoom.com/en/trust/security-bulletin/zsb-25030
Restart Required: Yes
Instructions:
1. Open Zoom client. 2. Click profile picture → Check for Updates. 3. Install available updates. 4. Restart Zoom client. 5. Verify version is patched per ZSB-25030.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Zoom clients from untrusted networks using VLANs or firewall rules
Restrict DLL Loading
windowsUse Windows policies to restrict DLL loading from untrusted locations
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /v "AuthenticodeEnabled" /t REG_DWORD /d 1 /f
🧯 If You Can't Patch
- Disable Zoom auto-start and only launch when needed
- Implement network access controls to restrict Zoom client network exposure
🔍 How to Verify
Check if Vulnerable:
Check Zoom client version against affected versions in ZSB-25030 advisoryCheck Version:
In Zoom client: Click profile picture → About ZoomVerify Fix Applied:
Verify Zoom client version matches or exceeds patched version specified in ZSB-25030📡 Detection & Monitoring
Log Indicators:
- Unusual process spawning from Zoom.exe with elevated privileges
- DLL loading from unusual paths by Zoom process
Network Indicators:
- Unexpected network connections from Zoom client to internal systems
- SMB or other network protocol abuse from Zoom process
SIEM Query:
Process Creation where ParentImage contains "zoom.exe" and IntegrityLevel="System"