Zoom, a well-known video conferencing software, has patched seven vulnerabilities in its desktop and mobile applications, particularly a critical flaw identified as CVE-2024-24691 impacting Windows software.
Notably, a high-severity escalation of privilege issue affecting Windows software was also fixed by the company and assigned as CVE-2024-24697.
A privilege escalation attack is an attempt to obtain unauthorized access to higher rights, permissions, privileges, or entitlements than those allocated to a particular account, user, or device. This can occur as a result of a system flaw, misconfiguration, or inadequate access controls.
CVE-2024-24691- Improper Input Validation
With a CVSS Score of 9.6, this critical severity flaw may enable an unauthorized user to carry out an escalation of privilege via network access due to improper input validation in the Zoom Desktop Client, Zoom VDI Client, and Zoom Meeting SDK for Windows.
Affected Products:
- Zoom Desktop Client for Windows before version 5.16.5
- Zoom VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 5.15.12)
- Zoom Rooms Client for Windows before version 5.17.0
- Zoom Meeting SDK for Windows before version 5.16.5
CVE-2024-24697 – Untrusted Search Path
An untrusted search path in some Zoom 32-bit Windows clients is a high-severity vulnerability with a CVSS score of 7.2 that could enable an authorized user to carry out a local access privilege escalation.
Affected Products:
- Zoom Desktop Client for Windows before version 5.17.0
- Zoom VDI Client for Windows before version 5.17.5 (excluding 5.15.15 and 5.16.12)
- Zoom Meeting SDK for Windows before version 5.17.0
- Zoom Rooms Client for Windows before version 5.17.0
Zoom also addressed other significant issues, including:
- CVE-2024-24690 – Improper Input Validation in Zoom Clients
- CVE-2024-24699 – Business Logic Error in Zoom Clients
- CVE-2024-24698 – Improper Authentication in Zoom Clients
- CVE-2024-24696– Improper Input Validation in Zoom Desktop Client, Zoom VDI Client, and Zoom Meeting SDK for Windows
- CVE-2024-24695 – Improper Input Validation in Zoom Desktop Client, Zoom VDI Client, and Zoom Meeting SDK for Windows
Zoom doesn’t disclose that any of these vulnerabilities have been used in malicious attacks. Thus, the company advises users to update their apps to the most recent available versions as soon as possible.