CVE-2025-49459
📋 TL;DR
This vulnerability allows authenticated users on Windows ARM systems to escalate privileges through Zoom Workplace's installer due to missing authorization checks. It affects users running Zoom Workplace for Windows on ARM versions before 6.5.0. Attackers with local access can gain elevated system privileges.
💻 Affected Systems
- Zoom Workplace
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker gains SYSTEM/administrator privileges, enabling complete system compromise, installation of malware, data theft, and persistence mechanisms.
Likely Case
Malicious insider or compromised user account escalates privileges to install additional tools, access restricted data, or maintain persistence on the system.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated systems with quick detection and remediation.
🎯 Exploit Status
Requires authenticated local access but exploitation is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.5.0
Vendor Advisory: https://www.zoom.com/en/trust/security-bulletin/ZSB-25032
Restart Required: Yes
Instructions:
1. Open Zoom Workplace application. 2. Click profile icon → Check for Updates. 3. Install version 6.5.0 or later. 4. Restart the application and system if prompted.
🔧 Temporary Workarounds
Restrict Local User Access
windowsLimit which users have local login access to Windows ARM systems running Zoom Workplace.
Remove Zoom Workplace from High-Value Systems
windowsUninstall Zoom Workplace from critical systems until patched.
Control Panel → Programs → Uninstall a program → Select Zoom Workplace → Uninstall
🧯 If You Can't Patch
- Implement strict least privilege access controls on Windows ARM systems
- Monitor for privilege escalation attempts using Windows Event Logs and EDR solutions
🔍 How to Verify
Check if Vulnerable:
Check Zoom Workplace version in Settings → About. If version is below 6.5.0 on Windows ARM, system is vulnerable.Check Version:
wmic product where name="Zoom Workplace" get versionVerify Fix Applied:
Confirm Zoom Workplace version is 6.5.0 or higher in Settings → About.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing unexpected privilege escalation
- Zoom installer processes running with elevated privileges from non-admin users
Network Indicators:
- Unusual outbound connections following local privilege escalation
SIEM Query:
EventID=4688 AND ProcessName LIKE "%zoom%" AND NewProcessName LIKE "%cmd%" OR NewProcessName LIKE "%powershell%" AND SubjectUserName NOT IN (admin_users_list)