Multiple vulnerabilities in Zoom applications

Published: 2025-05-13 | Updated: 2025-05-19

Risk	Medium
Patch available	YES
Number of vulnerabilities	9
CVE-ID	CVE-2025-46786 CVE-2025-46785 CVE-2025-30668 CVE-2025-30667 CVE-2025-30666 CVE-2025-30665 CVE-2025-30664 CVE-2025-30663 CVE-2025-46787
CWE-ID	CWE-20 CWE-126 CWE-476 CWE-78 CWE-362
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Zoom Workplace Desktop App for Windows Client/Desktop applications / Office applications Zoom Workplace Desktop App for macOS Client/Desktop applications / Office applications Zoom Workplace Desktop App for Linux Client/Desktop applications / Office applications Zoom Rooms Controller for Windows Client/Desktop applications / Office applications Zoom Rooms Controller for macOS Client/Desktop applications / Office applications Zoom Rooms Controller for Linux Client/Desktop applications / Office applications Zoom Rooms Client for Windows Client/Desktop applications / Office applications Zoom Rooms Client for macOS Client/Desktop applications / Office applications Zoom Workplace App for iOS Mobile applications / Apps for mobile phones Zoom Workplace App for Android Mobile applications / Apps for mobile phones Zoom Rooms Controller for Android Mobile applications / Apps for mobile phones Zoom Rooms Client for Android Mobile applications / Apps for mobile phones Zoom Rooms Client for iPad Mobile applications / Apps for mobile phones Virtual Desktop Infrastructure (VDI) Server applications / Conferencing, Collaboration and VoIP solutions Zoom Meeting SDK for Windows Universal components / Libraries / Software for developers Zoom Meeting SDK for iOS Universal components / Libraries / Software for developers Zoom Meeting SDK for Android Universal components / Libraries / Software for developers Zoom Meeting SDK for macOS Universal components / Libraries / Software for developers Zoom Meeting SDK for Linux Universal components / Libraries / Software for developers
Vendor	Zoom Video Communications, Inc.

Security Bulletin

This security bulletin contains information about 9 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU109009

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-46786

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim into performing unspecified actions and impact integrity of the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Zoom Workplace Desktop App for Windows: 0.9.10042.0911 - 6.4.0 62047

Zoom Workplace Desktop App for macOS: 4.6.9 19273.0402 - 6.3.11 50104

Zoom Workplace Desktop App for Linux: 5.1.418436.0628 - 6.3.11 7212

Zoom Workplace App for iOS: 4.6.10 20012.0407 - 6.3.11 22661

Zoom Workplace App for Android: 4.6.11 20553.0413 - 6.3.11 28196

Virtual Desktop Infrastructure (VDI): 6.1.0 - 6.2.12.25780

Zoom Rooms Controller for Windows: 6.1.0 - 6.3.5

Zoom Rooms Controller for macOS: 6.1.0 - 6.3.5

Zoom Rooms Controller for Linux: 6.0.0 - 6.3.5

Zoom Rooms Controller for Android: 6.1.0 - 6.3.0

Zoom Rooms Client for Windows: 4.6.5 18374.0407 - 6.3.0

Zoom Rooms Client for macOS: 4.6.5 2040.0406 - 6.3.0

Zoom Rooms Client for Android: 5.15.10 - 6.3.0

Zoom Rooms Client for iPad: 5.15.10 - 6.3.0

Zoom Meeting SDK for Windows: 5.9.0 - 6.3.11

Zoom Meeting SDK for iOS: 5.9.0 - 6.3.10

Zoom Meeting SDK for Android: 5.9.0 - 6.3.10

Zoom Meeting SDK for macOS: 5.9.0 - 6.3.11

Zoom Meeting SDK for Linux: 5.15.5 - 6.3.10

CPE2.3

External links

https://www.zoom.com/en/trust/security-bulletin/ZSB-25022/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Buffer Over-read

EUVDB-ID: #VU109008

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-46785

CWE-ID: CWE-126 - Buffer over-read

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error. A remote attacker can send specially crafted data to the application, trigger a buffer over-read and crash it.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Zoom Workplace Desktop App for Windows: 0.9.10042.0911 - 6.4.0 62047

Virtual Desktop Infrastructure (VDI): 6.1.0 - 6.2.12.25780

Zoom Rooms Controller for Windows: 6.1.0 - 6.3.5

Zoom Rooms Client for Windows: 4.6.5 18374.0407 - 6.3.0

Zoom Meeting SDK for Windows: 5.9.0 - 6.3.11

CPE2.3

External links

https://www.zoom.com/en/trust/security-bulletin/ZSB-25021/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) NULL pointer dereference

EUVDB-ID: #VU109007

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-30668

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can pass specially crafted data to the application and crash it.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Zoom Workplace Desktop App for Windows: 0.9.10042.0911 - 6.4.0 62047

Zoom Workplace Desktop App for macOS: 4.6.9 19273.0402 - 6.3.11 50104

Zoom Workplace Desktop App for Linux: 5.1.418436.0628 - 6.3.11 7212

Zoom Workplace App for iOS: 4.6.10 20012.0407 - 6.3.11 22661

Virtual Desktop Infrastructure (VDI): 6.1.0 - 6.2.12.25780

Zoom Rooms Controller for Windows: 6.1.0 - 6.3.5

Zoom Rooms Controller for macOS: 6.1.0 - 6.3.5

Zoom Rooms Controller for Linux: 6.0.0 - 6.3.5

Zoom Rooms Controller for Android: 6.1.0 - 6.3.0

Zoom Rooms Client for Windows: 4.6.5 18374.0407 - 6.3.0

Zoom Rooms Client for macOS: 4.6.5 2040.0406 - 6.3.0

Zoom Rooms Client for Android: 5.15.10 - 6.3.0

Zoom Rooms Client for iPad: 5.15.10 - 6.3.0

Zoom Meeting SDK for Windows: 5.9.0 - 6.3.11

Zoom Meeting SDK for Android: 5.9.0 - 6.3.10

Zoom Meeting SDK for macOS: 5.9.0 - 6.3.11

Zoom Meeting SDK for Linux: 5.15.5 - 6.3.10

CPE2.3

External links

https://www.zoom.com/en/trust/security-bulletin/ZSB-25020/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) NULL pointer dereference

EUVDB-ID: #VU109006

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-30667

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can pass specially crafted data to the application and crash it.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Zoom Workplace Desktop App for Windows: 0.9.10042.0911 - 6.4.0 62047

Zoom Workplace Desktop App for macOS: 4.6.9 19273.0402 - 6.3.11 50104

Zoom Workplace Desktop App for Linux: 5.1.418436.0628 - 6.3.11 7212

Zoom Workplace App for iOS: 4.6.10 20012.0407 - 6.3.11 22661

Zoom Workplace App for Android: 4.6.11 20553.0413 - 6.3.11 28196

Virtual Desktop Infrastructure (VDI): 6.1.0 - 6.2.12.25780

Zoom Rooms Controller for Windows: 6.1.0 - 6.3.5

Zoom Rooms Controller for macOS: 6.1.0 - 6.3.5

Zoom Rooms Controller for Linux: 6.0.0 - 6.3.5

Zoom Rooms Controller for Android: 6.1.0 - 6.3.0

Zoom Rooms Client for Windows: 4.6.5 18374.0407 - 6.3.0

Zoom Rooms Client for macOS: 4.6.5 2040.0406 - 6.3.0

Zoom Rooms Client for Android: 5.15.10 - 6.3.0

Zoom Rooms Client for iPad: 5.15.10 - 6.3.0

Zoom Meeting SDK for Windows: 5.9.0 - 6.3.11

Zoom Meeting SDK for iOS: 5.9.0 - 6.3.10

Zoom Meeting SDK for Android: 5.9.0 - 6.3.10

Zoom Meeting SDK for macOS: 5.9.0 - 6.3.11

Zoom Meeting SDK for Linux: 5.15.5 - 6.3.10

CPE2.3

External links

https://www.zoom.com/en/trust/security-bulletin/ZSB-25019/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) NULL pointer dereference

EUVDB-ID: #VU109005

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-30666

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can pass specially crafted data to the application and crash it.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Zoom Workplace Desktop App for Windows: 0.9.10042.0911 - 6.4.0 62047

Virtual Desktop Infrastructure (VDI): 6.1.0 - 6.2.12.25780

Zoom Rooms Controller for Windows: 6.1.0 - 6.3.5

Zoom Rooms Client for Windows: 4.6.5 18374.0407 - 6.3.0

Zoom Meeting SDK for Windows: 5.9.0 - 6.3.11

CPE2.3

External links

https://www.zoom.com/en/trust/security-bulletin/ZSB-25018/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) NULL pointer dereference

EUVDB-ID: #VU109004

Risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-30665

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can pass specially crafted data to the application and crash it.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Zoom Workplace Desktop App for Windows: 0.9.10042.0911 - 6.4.0 62047

Virtual Desktop Infrastructure (VDI): 6.1.0 - 6.2.12.25780

Zoom Rooms Controller for Windows: 6.1.0 - 6.3.5

Zoom Rooms Client for Windows: 4.6.5 18374.0407 - 6.3.0

Zoom Meeting SDK for Windows: 5.9.0 - 6.3.11

CPE2.3

External links

https://www.zoom.com/en/trust/security-bulletin/ZSB-25018/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) OS Command Injection

EUVDB-ID: #VU109003

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-30664

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper input validation. A local user can execute arbitrary OS commands on the target system with elevated privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Zoom Workplace Desktop App for Windows: 0.9.10042.0911 - 6.4.0 62047

Zoom Workplace Desktop App for macOS: 4.6.9 19273.0402 - 6.3.11 50104

Zoom Workplace Desktop App for Linux: 5.1.418436.0628 - 6.3.11 7212

Zoom Workplace App for iOS: 4.6.10 20012.0407 - 6.3.11 22661

Zoom Workplace App for Android: 4.6.11 20553.0413 - 6.3.11 28196

Zoom Rooms Controller for Windows: 6.1.0 - 6.3.5

Zoom Rooms Controller for macOS: 6.1.0 - 6.3.5

Zoom Rooms Controller for Linux: 6.0.0 - 6.3.5

Zoom Rooms Controller for Android: 6.1.0 - 6.3.0

Zoom Rooms Client for Windows: 4.6.5 18374.0407 - 6.3.0

Zoom Rooms Client for macOS: 4.6.5 2040.0406 - 6.3.0

Zoom Rooms Client for Android: 5.15.10 - 6.3.0

Zoom Rooms Client for iPad: 5.15.10 - 6.3.0

Zoom Meeting SDK for Windows: 5.9.0 - 6.3.11

Zoom Meeting SDK for iOS: 5.9.0 - 6.3.10

Zoom Meeting SDK for Android: 5.9.0 - 6.3.10

Zoom Meeting SDK for macOS: 5.9.0 - 6.3.11

Zoom Meeting SDK for Linux: 5.15.5 - 6.3.10

Virtual Desktop Infrastructure (VDI): All versions

CPE2.3

External links

https://www.zoom.com/en/trust/security-bulletin/ZSB-25017/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Race condition

EUVDB-ID: #VU109001

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-30663

CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Zoom Workplace Desktop App for Windows: 0.9.10042.0911 - 6.4.0 62047

Zoom Workplace Desktop App for macOS: 4.6.9 19273.0402 - 6.3.11 50104

Zoom Workplace Desktop App for Linux: 5.1.418436.0628 - 6.3.11 7212

Zoom Workplace App for iOS: 4.6.10 20012.0407 - 6.3.11 22661

Zoom Workplace App for Android: 4.6.11 20553.0413 - 6.3.11 28196

Virtual Desktop Infrastructure (VDI): 6.1.0 - 6.2.11.25670

Zoom Rooms Controller for Windows: 6.1.0 - 6.3.5

Zoom Rooms Controller for macOS: 6.1.0 - 6.3.5

Zoom Rooms Controller for Linux: 6.0.0 - 6.3.5

Zoom Rooms Controller for Android: 6.1.0 - 6.3.0

Zoom Rooms Client for Windows: 4.6.5 18374.0407 - 6.3.0

Zoom Rooms Client for macOS: 4.6.5 2040.0406 - 6.3.0

Zoom Rooms Client for Android: 5.15.10 - 6.3.0

Zoom Rooms Client for iPad: 5.15.10 - 6.3.0

Zoom Meeting SDK for Windows: 5.9.0 - 6.3.11

Zoom Meeting SDK for iOS: 5.9.0 - 6.3.10

Zoom Meeting SDK for Android: 5.9.0 - 6.3.10

Zoom Meeting SDK for macOS: 5.9.0 - 6.3.11

Zoom Meeting SDK for Linux: 5.15.5 - 6.3.10

CPE2.3

External links

https://www.zoom.com/en/trust/security-bulletin/ZSB-25016/

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Input validation error

EUVDB-ID: #VU109406

Risk: Medium

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-46787

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim into performing unspecified actions and impact integrity of the application.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Zoom Workplace Desktop App for Windows: 0.9.10042.0911 - 6.4.0 62047

Zoom Workplace Desktop App for macOS: 4.6.9 19273.0402 - 6.3.11 50104

Zoom Workplace Desktop App for Linux: 5.1.418436.0628 - 6.3.11 7212

Zoom Workplace App for iOS: 4.6.10 20012.0407 - 6.3.11 22661

Zoom Workplace App for Android: 4.6.11 20553.0413 - 6.3.11 28196

Virtual Desktop Infrastructure (VDI): 6.1.0 - 6.2.12.25780

Zoom Rooms Controller for Windows: 6.1.0 - 6.3.5

Zoom Rooms Controller for macOS: 6.1.0 - 6.3.5

Zoom Rooms Controller for Linux: 6.0.0 - 6.3.5

Zoom Rooms Controller for Android: 6.1.0 - 6.3.0

Zoom Rooms Client for Windows: 4.6.5 18374.0407 - 6.3.0

Zoom Rooms Client for macOS: 4.6.5 2040.0406 - 6.3.0

Zoom Rooms Client for Android: 5.15.10 - 6.3.0

Zoom Rooms Client for iPad: 5.15.10 - 6.3.0

Zoom Meeting SDK for Windows: 5.9.0 - 6.3.11

Zoom Meeting SDK for iOS: 5.9.0 - 6.3.10

Zoom Meeting SDK for Android: 5.9.0 - 6.3.10

Zoom Meeting SDK for macOS: 5.9.0 - 6.3.11

Zoom Meeting SDK for Linux: 5.15.5 - 6.3.10

CPE2.3

External links

https://www.zoom.com/en/trust/security-bulletin/ZSB-25022/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to trick the victim to visit a specially crafted website or open a file.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.