Zoom has issued multiple security bulletins detailing patches for several vulnerabilities affecting its Workplace applications.
The disclosures, published today, highlight two high-severity issues alongside medium-rated flaws, underscoring the ongoing challenges in securing video conferencing tools used by millions in hybrid work environments.
These updates come as cybersecurity experts warn of increasing exploitation attempts on collaboration software, potentially exposing users to unauthorized access and system disruptions.
Zoom Security Vulnerabilities
The most pressing concerns stem from ZSB-25043 and ZSB-25042, both rated high severity. In Zoom Workplace for Android, an improper authorization handling flaw (CVE-2025-64741) could enable attackers to bypass access controls, allowing unauthorized actions within the app, such as joining meetings without permission or accessing sensitive session data.
This vulnerability affects Android versions prior to the latest patch, where flawed permission checks might let malicious actors manipulate user privileges over the network.
Similarly, the Zoom Workplace VDI Client for Windows suffers from improper verification of cryptographic signatures (CVE-2025-64740), opening doors to attacks like accepting tampered updates or intercepting communications.
Security researchers note that such signature validation failures have historically led to supply chain compromises, where attackers inject malware into legitimate-looking software distributions.
Complementing these are two medium-severity path manipulation vulnerabilities. ZSB-25041 impacts various Zoom Clients with external control of file name or path (CVE-2025-64739), potentially allowing adversaries to redirect file operations to unintended locations, risking data leakage or arbitrary code execution if exploited in tandem with other flaws.
A parallel issue in Zoom Workplace for macOS (ZSB-25040, CVE-2025-64738) shares this risk, where attackers could leverage crafted inputs to traverse directories and overwrite critical files.
These path traversal bugs echo common web app weaknesses but are adapted for desktop clients, emphasizing the need for robust input sanitization in cross-platform tools.
Rounding out the bulletins is ZSB-25015, an updated advisory from April 2025, now covering null pointer dereferences in Zoom Workplace Apps for Windows (CVE-2025-30670 and CVE-2025-30671).
Initially published on April 8 and revised on November 10, this medium-severity issue could cause application crashes or denial-of-service conditions when the software mishandles null references during processing.
While not directly exploitable for code execution, it highlights persistent stability concerns in Windows environments, where repeated crashes might disrupt business operations.
Zoom urges immediate updates to the latest versions across affected platforms, including Android, Windows, macOS, and VDI clients, to mitigate these risks.
The company maintains its policy of not disclosing exploitation details, focusing instead on rapid patching, but independent analyses suggest these flaws could be chained for broader impacts like privilege escalation in enterprise settings.
As remote work persists, organizations should prioritize patch management, enable multi-factor authentication, and monitor for anomalous app behavior.
This wave of bulletins follows a pattern of frequent Zoom updates throughout 2025, addressing over a dozen vulnerabilities since August, including critical untrusted search path issues.
With CVEs assigned today, the National Vulnerability Database is expected to provide further scoring soon, but early assessments peg the high-severity flaws at CVSS scores above 7.5. For users, the message is clear: timely updates remain the frontline defense against evolving threats in unified communications platforms.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
