High-Severity Zoom Rooms Flaw Risks Privilege Escalation via Downgrade Protection Bypass

Zoom Video Communications has released a critical security update for its Zoom Rooms software, addressing vulnerabilities that could allow attackers to escalate privileges or peek into sensitive files on conference room systems. The patches cover flaws in both Windows and macOS clients, urging administrators to update their conference hardware immediately.

The most concerning issue in this release affects Zoom Rooms for Windows. Tracked as CVE-2025-67460, this high-severity vulnerability (CVSS 7.8) involves a failure in the software’s downgrade protection mechanisms.

In many security architectures, preventing software downgrades is crucial because older versions often contain known vulnerabilities that attackers can exploit. By bypassing this protection, an attacker could force the system to revert to a less secure state.

According to the advisory, this flaw “may allow an unauthenticated user to conduct an escalation of privilege via local access”.

A separate vulnerability was identified in Zoom Rooms for macOS. While less severe with a CVSS score of 5, CVE-2025-67461 still poses a risk to data privacy.

This flaw is described as an “External Control of File Name or Path” issue. The advisory warns that this weakness “may allow an authenticated user to conduct a disclosure of information via local access”. By manipulating file paths, a user logged into the system could potentially trick the software into revealing sensitive information that should have remained restricted.

Both vulnerabilities affect versions prior to 6.6.0. Zoom has released a fix in version 6.6.0 for both Windows and macOS platforms.

Administrators responsible for maintaining conference room technology are advised to apply these updates immediately.

Related Posts:

• Zoom Patches 6 Flaws: DoS, Info Disclosure & XSS Across All Platforms
• Copilot Is Coming to Your Living Room with New Samsung Smart TV Partnership