CVE-2024-24691 (CVSS 9.6): Critical Zoom Privilege Escalation Vulnerability
Zoom, the popular video conferencing platform, has addressed several critical security vulnerabilities affecting its Windows, iOS, and Android clients. A total of 7 security flaws were fixed. IT teams and individual users should patch systems immediately to protect against potential attacks.
The most severe vulnerability (CVE-2024-24691, CVSS score 9.6) could allow hackers to escalate their privileges, potentially gaining control of vulnerable systems. This flaw affects Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows.
“Improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access,” reads Zoom’s advisory.
CVE-2024-24691 affects
- Zoom Desktop Client for Windows before version 5.16.5
- Zoom VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 5.15.12)
- Zoom Meeting SDK for Windows before version 5.16.5
- Zoom Rooms Client for Windows before version 5.17.0
Unpatched Zoom software introduces serious security risks to businesses and individuals. Hackers can potentially exploit these vulnerabilities to:
- Steal sensitive data
- Disrupt video meetings
- Install malware
- Gain full control of affected systems
Zoom also issued a patch for a high-risk vulnerability (CVE-2024-24697, CVSS 7.2) that involves an untrusted search path. This could allow privilege escalation for authenticated users on some 32-bit Windows Zoom clients.
Take Action
-
Update Zoom: Install the latest Zoom updates immediately on all Windows, iOS, and Android devices. Check for updates within the Zoom client or download the latest versions directly.
-
Monitor Security Bulletins: Subscribe to Zoom’s Security Bulletin Page for critical updates.
-
Enforce Strong Password Policies: Users should implement strong, unique passwords and avoid password reuse.
