Multiple Zoom Client Vulnerabilities Exposes Sensitive Data

Recent security disclosures reveal multiple high-severity vulnerabilities in Zoom’s client software, exposing millions of users to potential data breaches, privilege escalation, and unauthorized access. 

The most critical flaws, patched in Zoom’s March 11, 2025, security bulletin, include CVE-2025-27440 (heap-based buffer overflow), CVE-2025-27439 (buffer underflow), CVE-2025-0151 (use-after-free), and CVE-2025-0150 (incorrect behavior order in iOS Workplace Apps), all rated high severity with CVSS scores ranging from 7.1 to 8.5. 

These vulnerabilities affect Zoom’s desktop, mobile, and Workplace applications, enabling authenticated attackers to execute arbitrary code, corrupt memory, or bypass security protocols via network access.

Overview of the Vulnerabilities

Heap-Based Buffer Overflow (CVE-2025-27440)

This flaw occurs when Zoom Apps write excess data to a memory buffer, overwriting adjacent memory regions. Attackers exploiting this vulnerability could inject malicious code into systems running Zoom Workplace Apps, particularly on Windows and macOS. 

For instance, a crafted network packet could trigger a heap overflow, allowing privilege escalation from standard user to administrator-level access.

Buffer Underflow (CVE-2025-27439)

A buffer underflow in Zoom Apps arises when operations read more data from a buffer than it contains, potentially crashing the application or exposing sensitive memory contents. 

This could facilitate denial-of-service (DoS) attacks or data leakage in meetings using outdated clients.

Use-After-Free (CVE-2025-0151)

This memory corruption flaw occurs when Zoom Apps reference a memory address after it has been deallocated. 

Attackers could manipulate the freed memory to execute code, compromise meeting encryption keys, or access user credentials.

Incorrect Behavior Order in iOS Workplace Apps (CVE-2025-0150)

Zoom Workplace Apps for iOS improperly sequence security checks, enabling attackers to intercept authentication tokens or meeting metadata before validation completes. 

This vulnerability could expose enterprise-level data in hybrid work environments.

Insufficient Data Verification (CVE-2025-0149)

The medium-severity CVE-2025-0149 (CVSS 6.5) allows unprivileged users to send malformed network packets that bypass authenticity checks, triggering DoS conditions. 

This vulnerability highlights systemic weaknesses in Zoom’s data validation protocols, affecting Workplace Apps across platforms

Mitigations

Impacted software includes:

• Zoom Desktop Clients for Windows, macOS, and Linux (versions before 5.15.5 and 6.2.0)
• Zoom Mobile Apps for Android and iOS (versions before 5.15.5)
• Zoom Meeting SDK and VDI Clients (versions before 5.14.12).

Zoom’s security team has released patches but avoids detailing exploit scenarios or customer-specific impacts. 

The company advises all users to upgrade to Zoom Client 6.2.0 or later, which includes fixes for 12 vulnerabilities disclosed in March 2025 alone.

Recommendations

• Prioritize updates for Zoom Workplace, Meeting SDK, and VDI clients.
• Restrict Zoom traffic to authenticated users only, reducing exposure to network-based attacks.
• Audit logs for unusual activity, such as unexpected privilege changes or repeated meeting crashes.
• For high-risk environments, consider third-party tools enforcing end-to-end encryption (E2EE), which Zoom lacks natively.

Zoom’s latest vulnerabilities highlight the fragility of widely adopted communication platforms in an era of sophisticated cyberattacks. 

While the company has responded swiftly with patches, the recurrence of memory corruption and input validation flaws suggests more profound architectural challenges. 

As remote work persists, proactive vulnerability management remains non-negotiable.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.