CVE-2022-28763: High-Risk Security Flaw in Zoom

Popular video conferencing service Zoom has resolved a high-severity vulnerability that exposes users to phishing attacks.

The vulnerability, which carries a CVSS severity score of 8.8/10, is documented as improper URL parsing in Zoom Clients. The vulnerability, tracked as CVE-2022-28763, affects Zoom Client for Meetings for Android, iOS, Linux, macOS, and Windows before version 5.12.2, Zoom VDI Windows Meeting Clients before version 5.12.2, and Zoom Rooms for Conference Room for Android, iOS, Linux, macOS, and Windows before version 5.12.2. The company credited its internal security team with finding the issue.

“The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.12.2 is susceptible to a URL parsing vulnerability. If a malicious Zoom meeting URL is opened, the malicious link may direct the user to connect to an arbitrary network address, leading to additional attacks including session takeovers,”  Zoom said in a note.

An attacker could exploit the CVE-2022-28763 vulnerability using a specially-crafted Zoom meeting URL to redirect a victim to arbitrary websites.

Last week, Zoom addressed two flaws (CVE-2022-28762 and CVE-2022-28761) that could connect to and control the Zoom Apps running in the Zoom client and prevent participants from receiving audio and video causing meeting disruptions.

Users of the application are recommended to update to the latest version (5.12.2) to mitigate any potential threats arising out of active exploitation of the flaws.