What is the most severe vulnerability reported?

The most severe vulnerability is CVE-2025-30663 with a CVSS score of 8.8. It's a Time-of-Check Time-of-Use (TOCTOU) vulnerability, which is a race condition in Zoom Workplace applications allowing local users to exploit timing discrepancies between resource verification and usage. While exploitation requires local system access and authentication credentials, successful attacks could lead to unauthorized access to sensitive information and privilege escalation.

What are the NULL pointer dereference bugs affecting Zoom?

CVE-2025-30665, CVE-2025-30666, CVE-2025-30667, and CVE-2025-30668 (all with CVSS score 6.5) are NULL pointer dereference bugs. These vulnerabilities could cause application crashes or allow attackers to execute arbitrary code, resulting in denial-of-service conditions or remote code execution.

What other vulnerabilities were reported in Zoom applications?

Two additional vulnerabilities were reported: CVE-2025-30664 (CVSS score 6.5), an improper neutralization of special elements vulnerability that allows attackers to inject malicious inputs via unvalidated user data, potentially bypassing security controls; and CVE-2025-46785 (CVSS score 6.5), a buffer boundary reading vulnerability that could expose sensitive memory contents or cause application instability when exploited.

Which Zoom software versions are affected by these vulnerabilities?

Affected software includes: Zoom Workplace Desktop App for Windows (versions before 6.4.0 62047), Zoom Workplace Desktop App for macOS (versions before 6.3.11 50104), Zoom Workplace Desktop App for Linux (versions before 6.3.11 7212), Virtual Desktop Infrastructure (VDI) (versions 6.1.0 – 6.2.12.25780), and Zoom Rooms Controllers and Clients, and Zoom Meeting SDK across Windows, macOS, Linux, iOS, and Android platforms.

What are the potential impacts of these vulnerabilities?

The potential impacts include privilege escalation, denial-of-service (DoS) attacks, remote code execution, unauthorized access to sensitive information, application crashes, and system instability.

Are mobile versions of Zoom also affected by these vulnerabilities?

Yes, the vulnerabilities affect Zoom applications across multiple platforms, including iOS and Android, specifically for Zoom Rooms Controllers and Clients, and Zoom Meeting SDK components.

Advisory

Multiple security vulnerabilities reported in Zoom Workplace applications

published: May 13, 2025

Take action: This is not an urgent advisory, but it's very smart to update your Zoom Apps. Even if the flaws are not immediately exploited, Zoom is used in many scenarios with external persons, links, files. Don't risk it, update the app. It's a fairly trivial process - just Check for Updates and run the installer.

Learn More

Zoom Video Communications is reporting security vulnerabilities affecting its Workplace Apps across Windows, macOS, Linux, iOS, and Android.

These vulnerabilities potentially enable attackers to escalate privileges, execute denial-of-service (DoS) attacks, and remotely execute malicious code on affected systems.

Vulnerability summary

CVE-2025-30663 (CVSS score 8.8) - Time-of-Check Time-of-Use (TOCTOU) vulnerability. A race condition in Zoom Workplace applications, allowing local users to exploit timing discrepancies between resource verification and usage. While exploitation requires local system access and authentication credentials, successful attacks could lead to unauthorized access to sensitive information and privilege escalation.
CVE-2025-30665, CVE-2025-30666, CVE-2025-30667, CVE-2025-30668 (CVSS score 6.5) - NULL pointer dereference bugs. These vulnerabilities could cause application crashes or allow attackers to execute arbitrary code, resulting in denial-of-service conditions or remote code execution.
CVE-2025-30664 (CVSS score 6.5) - Improper neutralization of special elements. Allows attackers to inject malicious inputs via unvalidated user data, potentially bypassing security controls.
CVE-2025-46785 (CVSS score 6.5)) - Buffer boundary reading vulnerability. Could expose sensitive memory contents or cause application instability when exploited.\

Affected software includes:

Zoom Workplace Desktop App for Windows (versions before 6.4.0 62047)
Zoom Workplace Desktop App for macOS (versions before 6.3.11 50104)
Zoom Workplace Desktop App for Linux (versions before 6.3.11 7212)
Virtual Desktop Infrastructure (VDI) (versions 6.1.0 – 6.2.12.25780)
Zoom Rooms Controllers and Clients, and Zoom Meeting SDK across Windows, macOS, Linux, iOS, and Android platforms.

Zoom strongly recommends updating to the latest software versions to receive all security improvements. In their security bulletin, the company stated, "We recommend users update to the latest version of Zoom software to get the latest fixes and security improvements."

Multiple security vulnerabilities reported in Zoom Workplace applications

Read More
Google releases October 2024 Android patches, fixes 26 …
Google patches 10 security flaws in chrome 144 …
Google Android March 2026 Security Bulletin Patches 129 …
Windows kernel flaw actively exploited
Critical vulnerabilities in Google Home and Google Nest …