Zoom Patches Several Flaws That Enable Privilege Escalation and Denial of Service 

• Zoom released a security bulletin that signals a heap of flaws, including one critical type confusion issue in the Zoom Workplace App for Linux.
• Among them are an untrusted search path issue, one symlink following flaw, and an out-of-bounds write vulnerability.
• The company warns of the risks these pose, such as enabling an attacker to escalate privileges and launch denial-of-service attacks.

Zoom has released updates addressing a series of vulnerabilities across its suite of applications. Ranging in severity, these flaws include privilege escalation (EoP), denial-of-service (DoS) risks, and information disclosure.

A critical type confusion vulnerability, CVE-2025-0147, was discovered in the Zoom Workplace App for Linux, and it enables attackers to escalate privileges via network access, impacting confidentiality, integrity, and availability. 

The Linux products it affects are Workplace App (before 6.2.10), Meeting SDK (before 6.2.10), and Video SDK (before 6.2.10).

CVE-2025-0145, CVE-2025-0143, and CVE-2025-0142 have been marked as medium severity vulnerabilities, while CVE-2025-0146 and CVE-2025-0144 are low.

CVE-2025-0145 is an untrusted search path issue found in the Windows installer of certain Zoom Workplace Apps that allows EoP via local access. It has a CVSS score of 4.6 (Medium) and impacts Workplace App for Windows (before 6.2.5), Workplace VDI Client for Windows (before 6.1.13, except 6.0.15), and various other Windows-based Zoom applications.

CVE-2025-0143 is an out-of-bounds write vulnerability in the Zoom Workplace App for Linux (before 6.2.5) that could allow unauthorized users to execute DoS attacks via network access and affects Workplace App and Meeting and Video SDK.

CVE-2025-0142 is a flaw in the Zoom Jenkins bot plugin (versions prior to 1.6) that features cleartext storage of sensitive information, which creates a risk of information disclosure through network access.  

CVE-2025-0146 is a symlink following flaw in the macOS installer of the Zoom Workplace App that could lead to DoS attacks via local access by authenticated users of Affected Products:  

Zoom Workplace App for macOS (before 6.2.10) and other macOS applications, including Zoom Rooms Client and SDKs.

CVE-2025-0144 is an out-of-bounds write flaw identified across multiple versions of Zoom Workplace Apps that could compromise data integrity via network access. Although rated with a CVSS score in the low-severity range, this issue affects a diverse range of platforms, including Windows, macOS, Linux, iOS, and Android.  

Zoom encourages all users to update their apps to the latest versions available through its official website or plugin repositories. Timely updates are crucial to mitigating the risks posed by these vulnerabilities.