Analysis Summary

Zoom has disclosed a critical vulnerability (CVE-2025-49457, CVSS high) affecting multiple Windows-based clients, including Zoom Workplace, VDI, Rooms, Rooms Controller, and Meeting SDK, prior to version 6.3.10. The flaw, detailed under bulletin ZSB-25030, stems from an untrusted search path issue, which can allow attackers to load malicious DLLs or executables from insecure directories. Exploiting this requires only minimal user interaction, such as clicking a malicious link or opening a tainted file, while needing no privileges and having low complexity, making it highly dangerous for a wide range of users.

The vulnerability’s CVSS vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) reflects its severity: it can be exploited over the network without prior access, has low attack complexity, changes scope, and results in high impacts on confidentiality, integrity, and availability. Successful exploitation can lead to privilege escalation, enabling attackers to install malware, exfiltrate sensitive data, or take full control of the system. The flaw affects versions prior to 6.3.10, excluding VDI versions 6.1.16 and 6.2.12, and impacts a large global user base relying on Zoom for critical communications.

Discovered by a Researcher, this vulnerability highlights ongoing challenges in software security, particularly in path-handling mechanisms within Windows environments. Similar flaws have historically been exploited in supply chain attacks and phishing campaigns, where malicious actors leverage DLL hijacking or insecure file loading to compromise systems. In the context of Zoom’s widespread adoption across enterprises, educational institutions, and personal use the risk of widespread exploitation is significant, especially in the current era of remote and hybrid work.

Zoom has issued patches and strongly urges all users to update to the latest versions immediately. Additional mitigation measures include enabling automatic updates, using reputable antivirus solutions, and avoiding interaction with suspicious files or links. This incident reinforces the importance of proactive security practices, such as prompt patching, user awareness training, and regular software audits, to minimize exposure to rapidly evolving cyber threats. Organizations should review their Zoom deployments to ensure all instances are patched and operational security policies are strictly followed to prevent potential breaches.

Impact

• Gain Access
• Privilege Escalation

Indicators of Compromise

CVE

• CVE-2025-49457

Affected Vendors

Remediation

• Update all affected Zoom products for Windows to version 6.3.10 or later (excluding VDI versions 6.1.16 and 6.2.12, which are not vulnerable).
• Ensure automatic update features are turned on to receive future security patches promptly.
• Obtain Zoom updates exclusively from the official Zoom website or trusted enterprise deployment tools.
• Deploy and maintain reputable antivirus or endpoint security solutions to detect and block malicious files.
• Apply the principle of least privilege to reduce the potential impact of privilege escalation attacks.
• Train employees to avoid opening unknown files or clicking suspicious links received via email, chat, or shared in meetings.
• Regularly review software inventories and patch statuses to ensure no outdated Zoom clients remain in use.
• Implement logging and alerting for unusual file loads or execution patterns that may indicate DLL hijacking attempts.