Zoom Patches 6 Flaws: DoS, Info Disclosure & XSS Across All Platforms

Zoom has rolled out a security update patching six newly disclosed vulnerabilities affecting its Workplace, Rooms, and SDK products across Windows, macOS, Linux, iOS, and Android platforms. These flaws, ranging in severity, could lead to denial of service (DoS), information disclosure, cross-site scripting (XSS), and even integrity compromise.

CVE-2025-46788 (CVSS 7.4): Improper Certificate Validation in Zoom for Linux

Zoom Workplace and SDK for Linux versions prior to 6.4.13 are affected by a serious certificate validation flaw that may allow unauthorized users to disclose sensitive information via network access.

“Improper certificate validation… may allow an unauthorized user to conduct an information disclosure via network access,” the advisory warns.

Users are advised to upgrade to v6.4.13 or later to close the vulnerability.

CVE-2025-49464 (CVSS 6.5): Buffer Overflow in Zoom Clients for Windows

A classic buffer overflow vulnerability was found in Zoom Workplace, VDI, Rooms, and Meeting SDK for Windows prior to version 6.4.0 and certain VDI builds. An authorized user could exploit this flaw to trigger a denial of service through crafted network requests. All users running affected versions are urged to apply the updates found at zoom.us/download.

CVE-2025-49464 (CVSS 6.5): Improper Authentication in Zoom Clients for macOS

Zoom also reported a vulnerability in macOS clients before 6.4.5 that could allow an unauthenticated user to impact application integrity. This issue affects both Zoom Workplace and the Zoom Meeting SDK for macOS. An immediate upgrade is recommended.

CVE-2025-49463 (CVSS 6.5): iOS Clients Exposed via Control Flow Weakness

iOS users are not exempt: a flaw in Zoom Workplace, Rooms, Controllers, and SDK for iOS before version 6.4.5 could permit information disclosure via insufficient control flow management. This vulnerability impacts both general users and developers integrating Zoom SDKs into iOS applications.

CVE-2025-49462 (CVSS 3.5): Cross-site Scripting Across Multiple Platforms

In one of the most widespread issues, a cross-site scripting (XSS) vulnerability affects virtually all Zoom clients — including Windows, macOS, Linux, Android, and iOS — prior to version 6.4.5. While rated lower in severity, the broad platform impact makes it critical for enterprises managing diverse device fleets.

CVE-2025-46789 (CVSS 6.5): Another Buffer Overflow in Windows Clients

Zoom disclosed a second buffer overflow in Windows builds prior to 6.4.5, including VDI and Room components, which also results in denial of service. The flaw reinforces the importance of patching all instances, not just client endpoints.

Zoom Urges Users to Update

Zoom emphasizes the importance of immediate patching:

“Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download,” the advisory urges repeatedly.

Whether you’re an enterprise IT admin managing a cross-platform environment or a single user working remotely, ensuring your Zoom client is on the latest version is a vital defense against exploitation.

Related Posts:

• The Python Package Index: Info Stealing Malware in Open-Source Software
• Zoom Customers Advised to Update Software to Fix Security Vulnerabilities