Three High Flaws in Zoom for macOS and Windows

Three newly discovered security vulnerabilities in Zoom can let the attacker run arbitrary code and escalate their privileges to root or SYSTEM users, according to the latest findings.

The vulnerabilities tracked as CVE-2022-28768 and CVE-2022-36924 and both rated high severity, have been described as local privilege escalation issues that could ultimately lead to taking control of the affected system. One impacts Zoom Rooms Installer for Windows prior to 5.12.6, and one of them affects Zoom Client for Meetings Installer for macOS (Standard and for IT Admin) before version 5.12.6. Newer versions of the video conferencing app patch the flaws.

CVE-2022-28768 (CVSS score of 8.8) is related to the install process that a local low-privileged user could exploit this vulnerability to escalate their privileges to root. Koh M. Nakagawa (tsunekoh) has been credited with discovering and reporting this flaw.

CVE-2022-36924 (CVSS score of 8.8) exists in the install process that a local low-privileged user could exploit this vulnerability during the install process to escalate their privileges to the SYSTEM user. Researcher sim0nsecurity has been credited with discovering and reporting this flaw.

CVE-2022-28766 (CVSS score of 8.1) is described as a DLL injection vulnerability and affects Windows 32-bit versions of the Zoom Client for Meetings before 5.12.6 and Zoom Rooms for Conference Room before version 5.12.6. A local low-privileged user could exploit this vulnerability to run arbitrary code in the context of the Zoom client.

Users of the application are recommended to update to the latest version (5.12.6) to mitigate any potential threats arising out of active exploitation of the flaws.