What security vulnerabilities did Zoom patch in their latest update?

Zoom released patches for multiple vulnerabilities across its Windows and macOS client applications, Workplace platform, and various specialized products. The updates address 7 vulnerabilities ranging from critical to moderate severity, including privilege escalation, buffer overflow, and cross-site scripting flaws.

What is the most critical Zoom vulnerability that was patched?

CVE-2025-49457 is the most critical vulnerability with a CVSS score of 9.6. It's an untrusted search path vulnerability in Zoom Clients for Windows that allows an unauthenticated user to conduct privilege escalation attacks via network access by exploiting improper handling of search paths during startup processes.

Which Zoom products are affected by CVE-2025-49457?

CVE-2025-49457 affects multiple Zoom Windows products including Zoom Workplace for Windows before version 6.3.10, Zoom Workplace VDI for Windows before version 6.3.10, Zoom Rooms for Windows before version 6.3.10, Zoom Rooms Controller for Windows before version 6.3.10, and Zoom Meeting SDK for Windows before version 6.3.10.

Are there any vulnerabilities affecting Zoom's macOS products?

Yes, CVE-2025-58131 (CVSS score 6.6) affects the VMware Horizon VDI Plugin for macOS Universal installer. This is a race condition vulnerability that could potentially be exploited by attackers.

What other types of vulnerabilities were patched by Zoom?

Other vulnerabilities include CVE-2025-49458 (buffer overflow that could lead to arbitrary code execution), CVE-2025-58135 (improper action enforcement), CVE-2025-58134 (incorrect authorization), CVE-2025-49460 (argument injection), and CVE-2025-49461 (cross-site scripting XSS flaw).

Have these Zoom vulnerabilities been exploited in the wild?

No information has been disclosed regarding active exploitation of these vulnerabilities in the wild. However, users should still apply updates promptly as a security precaution.

What is the risk level of the Zoom buffer overflow vulnerability?

CVE-2025-49458 is a buffer overflow vulnerability with a CVSS score of 6.5, classified as medium severity. This vulnerability could potentially lead to arbitrary code execution, making it important for users to apply the security update.

Do the Zoom vulnerabilities affect VDI environments?

Yes, both Windows and macOS VDI environments are affected. CVE-2025-49457 affects Zoom Workplace VDI for Windows before version 6.3.10, and CVE-2025-58131 affects the VMware Horizon VDI Plugin for macOS Universal installer.

Are there any cross-site scripting vulnerabilities in Zoom's latest patch?

Yes, CVE-2025-49461 is a cross-site scripting (XSS) flaw with a CVSS score of 4.3 that enables script injection. While classified as low severity, XSS vulnerabilities can still be used in targeted attacks and should be patched promptly.

Advisory

Zoom releases multiple patches for Windows and macOS clients, at least one critical

published: Sept. 9, 2025

Take action: If you're using Zoom products on Windows or macOS, update to the latest version (6.3.10 or newer). Prioritize Windows systems first since they face the highest risk (critical flaw), and ensure all Zoom products including Workplace, Rooms, and VDI clients are updated across your organization.

Learn More

Zoom released patches for multiple vulnerabilities across its Windows and macOS client applications, Workplace platform, and various specialized products.

Vulnerability summary:

CVE-2025-49457 (CVSS score 9.6) an untrusted search path vulnerability in Zoom Clients for Windows. This vulnerability allows an unauthenticated user to conduct privilege escalation attacks via network access, exploiting the application's improper handling of search paths during startup processes. Affected products include:
- Zoom Workplace for Windows before version 6.3.10,
- Zoom Workplace VDI for Windows before version 6.3.10 (with specific version requirements for different tracks including 6.1.16 and 6.2.12),
- Zoom Rooms for Windows before version 6.3.10,
- Zoom Rooms Controller for Windows before version 6.3.10,
- Zoom Meeting SDK for Windows before version 6.3.10.
CVE-2025-58131 (CVSS score 6.6) - Race Condition vulnerability in VMware Horizon VDI Plugin for macOS Universal installer
CVE-2025-49458 (CVSS score 6.5) - Buffer Overflow vulnerability that could lead to arbitrary code execution
CVE-2025-58135 (CVSS score 5.3) - Improper Action Enforcement vulnerability in Windows Workplace Clients
CVE-2025-58134 (CVSS score 4.3) - Incorrect Authorization flaw in Windows Workplace Clients
CVE-2025-49460 (CVSS score 4.3) - Argument Injection vulnerability allowing manipulation of application behavior
CVE-2025-49461 (CVSS score 4.3) - Cross-site Scripting (XSS) flaw enabling script injection

Zoom strongly recommends that all users and administrators apply these security updates using the built-in update mechanisms within Zoom applications or through enterprise software distribution systems

No information has been disclosed regarding active exploitation of these vulnerabilities in the wild.

Zoom releases multiple patches for Windows and macOS clients, at least one critical

Read More
Western Digital reports critical flaw in My Cloud …
December 2023 Microsoft patch release addresses fixes 34 …
Mozilla releases updates for Firefox, 18 vulnerabilities patched, …
Foxit PDF releases version that fixes over 50 …
Chrome fixes four high-severity issues