Zoom, a popular video conferencing software, has released updates to address seven vulnerabilities in its desktop and mobile applications. One of the critical flaws, known as CVE-2024-24691, specifically impacts the Windows software.
Among the vulnerabilities fixed by Zoom is a high-severity escalation of privilege issue affecting Windows software, designated as CVE-2024-24697.
An escalation of privilege attack occurs when an unauthorized user attempts to gain access to higher rights, permissions, privileges, or entitlements than what they are allocated. This can happen due to system flaws, misconfigurations, or inadequate access controls.
CVE-2024-24691, labeled as an improper input validation flaw, is considered critical with a CVSS Score of 9.6. It allows an unauthorized user to carry out an escalation of privilege via network access due to improper input validation in the Zoom Desktop Client, Zoom VDI Client, and Zoom Meeting SDK for Windows.
The following Zoom products are affected by CVE-2024-24691:
1. Zoom Desktop Client for Windows (versions before 5.16.5)
2. Zoom VDI Client for Windows (versions before 5.16.10, excluding 5.14.14 and 5.15.12)
3. Zoom Rooms Client for Windows (versions before 5.17.0)
4. Zoom Meeting SDK for Windows (versions before 5.16.5)
Additionally, CVE-2024-24697, which is an untrusted search path vulnerability in certain Zoom 32-bit Windows clients, has a high severity with a CVSS score of 7.2. This flaw allows an authorized user to carry out a local access privilege escalation.
The following Zoom products are affected by CVE-2024-24697:
1. Zoom Desktop Client for Windows (versions before 5.17.0)
2. Zoom VDI Client for Windows (versions before 5.17.5, excluding 5.15.15 and 5.16.12)
3. Zoom Meeting SDK for Windows (versions before 5.17.0)
4. Zoom Rooms Client for Windows (versions before 5.17.0)
In addition to these vulnerabilities, Zoom has also addressed other significant issues, including improper input validation, business logic errors, and improper authentication in its clients.
Zoom has not disclosed any known malicious attacks exploiting these vulnerabilities. However, the company urges users to update their applications to the latest available versions promptly.
For the latest cybersecurity news, whitepapers, and infographics, follow us on LinkedIn and Twitter.
