CVE-2025-64740
📋 TL;DR
This vulnerability allows an authenticated user with local access to escalate privileges on Windows systems running the Zoom Workplace VDI Client. The installer fails to properly verify cryptographic signatures, enabling attackers to execute arbitrary code with elevated permissions. Only users with local access to affected Zoom VDI Client installations are at risk.
💻 Affected Systems
- Zoom Workplace VDI Client for Windows
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could gain SYSTEM-level privileges, install persistent malware, access sensitive data, and completely compromise the Windows host.
Likely Case
Malicious insiders or attackers with initial access could elevate from standard user to administrator privileges to install additional tools or access restricted resources.
If Mitigated
With proper endpoint protection and least privilege principles, impact is limited to the local machine rather than network-wide compromise.
🎯 Exploit Status
Exploitation requires authenticated local access and knowledge of the vulnerability. The cryptographic signature bypass is likely straightforward once identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version specified in Zoom Security Bulletin ZSB-25042
Vendor Advisory: https://www.zoom.com/en/trust/security-bulletin/ZSB-25042
Restart Required: Yes
Instructions:
1. Visit the Zoom Security Bulletin ZSB-25042. 2. Download the latest Zoom Workplace VDI Client for Windows. 3. Install the update following Zoom's installation instructions. 4. Restart the system if prompted.
🔧 Temporary Workarounds
Remove vulnerable Zoom VDI Client
windowsUninstall the vulnerable Zoom Workplace VDI Client if not required
Control Panel > Programs > Uninstall a program > Select Zoom Workplace VDI Client > Uninstall
Restrict local access
windowsImplement strict access controls to limit who can log into affected systems
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized installer execution
- Enforce least privilege principles and remove local administrator rights from standard users
🔍 How to Verify
Check if Vulnerable:
Check Zoom VDI Client version against the patched version in ZSB-25042. If running older version, system is vulnerable.Check Version:
Check Zoom VDI Client version in Windows Settings > Apps or via the Zoom application interfaceVerify Fix Applied:
Verify Zoom Workplace VDI Client version matches or exceeds the patched version specified in ZSB-25042📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing privilege escalation attempts
- Zoom installer execution with unusual parameters
- Unexpected process creation with elevated privileges
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
Windows Event ID 4688 with Zoom installer process and subsequent privilege changes