The Zoom desktop and VDI clients and the Meeting SDK for Windows are vulnerable to an improper input validation flaw that could allow an unauthenticated attacker to conduct privilege escalation on the target system over the network.
Zoom is a popular cloud-based video conferencing service for corporate meetings, educational lessons, social interactions/gatherings, and more. It offers screen sharing, meeting recording, custom backgrounds, in-meeting chat, and various productivity-focused features.
The software’s popularity surged during the COVID-19 pandemic when many organizations turned to remote solutions to maintain operations and business continuity. By April 2020, it reached a peak of 300 million daily meeting participants.
The newly disclosed flaw is tracked as CVE-2024-24691 and was discovered by Zoom’s offensive security team, receiving a CVSS v3.1 score of 9.6, rating it “critical.”
The vulnerability impacts the following product versions:
- Zoom Desktop Client for Windows before version 5.16.5
- Zoom VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 5.15.12)
- Zoom Rooms Client for Windows before version 5.17.0
- Zoom Meeting SDK for Windows before version 5.16.5
The short description of the flaw does not specify how it could be exploited or what the repercussions might be, but the CVSS vector indicates that it requires some user interaction.
This could involve clicking a link, opening a message attachment, or performing some other action that the attacker could leverage to exploit CVE-2024-24691.
For most people, Zoom should automatically prompts users to update to the latest version. However, you can manually download and install the latest release of the desktop client for Windows, version 5.17.7, from here.
Apart from the improper input validation flaw, the latest Zoom release also addresses the following six vulnerabilities:
- CVE-2024-24697: A high-severity issue in Zoom 32-bit Windows clients allows privilege escalation through local access by exploiting an untrusted search path.
- CVE-2024-24696: An in-meeting chat vulnerability in Zoom Windows clients caused by improper input validation enables information disclosure over the network.
- CVE-2024-24695: Similar to CVE-2024-24696, improper input validation in Zoom Windows clients allows information disclosure over the network.
- CVE-2024-24699: A business logic error in Zoom’s in-meeting chat feature can lead to information disclosure over the network.
- CVE-2024-24690: Vulnerability in some Zoom clients caused by improper input validation can trigger a denial of service over the network.
- CVE-2024-24698: Improper authentication flaw in some Zoom clients permits information disclosure through local access by privileged users.
Zoom users should apply the security update as soon as possible to mitigate the likelihood of external actors elevating their privileges to a level that allows them to steal sensitive data, disrupt or eavesdrop on meetings, and install backdoors.