Zoom Desktop Flaws Let Attackers Launch Privilege Escalation Attacks

Zoom, a well-known video conferencing software, has patched seven vulnerabilities in its desktop and mobile applications, particularly a critical flaw identified as CVE-2024-24691 impacting Windows software.

Notably, a high-severity escalation of privilege issue affecting Windows software was also fixed by the company and assigned as CVE-2024-24697.

A privilege escalation attack is an attempt to obtain unauthorized access to higher rights, permissions, privileges, or entitlements than those allocated to a particular account, user, or device. This can occur as a result of a system flaw, misconfiguration, or inadequate access controls.

Document
Live Account Takeover Attack Simulation

How do Hackers Bypass 2FA?

Live attack simulation Webinar demonstrates various ways in which account takeover can happen and practices to protect your websites and APIs against ATO attacks .

CVE-2024-24691- Improper Input Validation

With a CVSS Score of 9.6, this critical severity flaw may enable an unauthorized user to carry out an escalation of privilege via network access due to improper input validation in the Zoom Desktop Client, Zoom VDI Client, and Zoom Meeting SDK for Windows.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.16.5
  • Zoom VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 5.15.12)
  • Zoom Rooms Client for Windows before version 5.17.0
  • Zoom Meeting SDK for Windows before version 5.16.5

CVE-2024-24697 – Untrusted Search Path

An untrusted search path in some Zoom 32-bit Windows clients is a high-severity vulnerability with a CVSS score of 7.2 that could enable an authorized user to carry out a local access privilege escalation.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.17.0
  • Zoom VDI Client for Windows before version 5.17.5 (excluding 5.15.15 and 5.16.12)
  • Zoom Meeting SDK for Windows before version 5.17.0
  • Zoom Rooms Client for Windows before version 5.17.0

Zoom also addressed other significant issues, including:

  • CVE-2024-24690 – Improper Input Validation in Zoom Clients
  • CVE-2024-24699 – Business Logic Error in Zoom Clients
  • CVE-2024-24698 – Improper Authentication in Zoom Clients
  • CVE-2024-24696–  Improper Input Validation in Zoom Desktop Client, Zoom VDI Client, and Zoom Meeting SDK for Windows
  • CVE-2024-24695 – Improper Input Validation in Zoom Desktop Client, Zoom VDI Client, and Zoom Meeting SDK for Windows

Zoom doesn’t disclose that any of these vulnerabilities have been used in malicious attacks. Thus, the company advises users to update their apps to the most recent available versions as soon as possible.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.