Zoom Video Communications has recently issued a series of security updates to rectify multiple vulnerabilities identified across its suite of applications, including Zoom Workplace and various clients for Windows and macOS. These updates encompass one high-severity flaw and several medium-severity issues, underscoring the necessity for users to promptly update their applications to mitigate potential security risks.
High-Severity Vulnerability: CVE-2025-49459
The most critical vulnerability addressed in this update is a Missing Authorization flaw, designated as CVE-2025-49459, which specifically affects Zoom Workplace for Windows on ARM platforms. This type of vulnerability could potentially allow an attacker to perform unauthorized actions within the application, thereby compromising its security integrity.
Medium-Severity Vulnerabilities in Windows Clients
In addition to the high-severity issue, Zoom has patched several medium-severity vulnerabilities that impact its Windows clients:
– CVE-2025-58135: An Improper Action Enforcement vulnerability that could enable users to perform actions beyond their authorized permissions.
– CVE-2025-58134: An Incorrect Authorization issue, potentially allowing users to exceed their permitted access levels.
Additional Medium-Severity Vulnerabilities
Zoom’s security bulletin also details other medium-severity vulnerabilities affecting a broader range of Zoom Workplace clients:
– CVE-2025-49458: A Buffer Overflow vulnerability that could lead to arbitrary code execution, posing significant risks to system integrity.
– CVE-2025-49460: An Argument Injection flaw, where attackers could manipulate the application’s behavior by inserting malicious arguments.
– CVE-2025-49461: A Cross-site Scripting (XSS) vulnerability, which might allow an attacker to inject malicious scripts into web pages viewed by users, potentially leading to data theft or further exploitation.
Race Condition Vulnerability in macOS VDI Plugin
Additionally, a Race Condition vulnerability (CVE-2025-58131) was patched in the Zoom Workplace VDI Plugin for macOS Universal installer for VMware Horizon. Race conditions can lead to unpredictable behavior, including denial of service or privilege escalation, thereby compromising system stability and security.
Recommendations for Users
Zoom consistently advises users to update their software to the latest version to receive the most recent security fixes and improvements. This latest batch of patches follows a previous update addressing a critical vulnerability, CVE-2025-49457, an untrusted search path flaw in its Windows clients that could allow for privilege escalation. That vulnerability, with a CVSS score of 9.6, highlighted the significant risks associated with outdated client versions, as it could enable an unauthenticated attacker to gain elevated privileges over a network.
Given the continuous discovery of security flaws, ranging from critical to medium severity, it is crucial for both individual users and organizations to apply these updates promptly. Delaying updates can leave systems exposed to a variety of attacks, including data exfiltration, denial of service, and full system compromise. Users can find the latest versions of the Zoom software on the company’s official website and through the application’s update channels.
