Tuesday, February 4, 2025
Follow us On Linkedin
HomeCVE/vulnerabilityNew Zoom Flaw Let Attackers to Hack into the Systems of Participants...

New Zoom Flaw Let Attackers to Hack into the Systems of Participants via Chat Messages

CVE/vulnerability

Published on

By Gurubaran
New Zoom Flaw

Free Webinar DevSecOps Hacks

SIEM as a Service

Follow Us on Google News

Security researchers from Talos discovered two vulnerabilities with the popular Zoom video chatting that allows a malicious user in the conference to execute arbitrary code on victims’ machines.

Zoom is a popular video conferencing software across the globe that are used by individuals across the globe to work from and to stay in touch with friends and family.

Both of the vulnerabilities are path traversal and it was reported to Talos by Zoom and it was fixed by Zoom in May.

The flaws can be exploited by attackers to execute or place or to write files on the vulnerable installations.

TALOS-2020-1055/CVE-2020-6109

The vulnerability exists with Zoom client, version 4.6.10, an attacker can exploit the vulnerability by sending a specially crafted message to a target user or a group to exploit this vulnerability.

The vulnerability is due to Improper Limitation of a Pathname to a restricted directory causes Path traversal, a specifically crafted message leads to arbitrary file write, which can be used to achieve arbitrary code execution.

“The actual vulnerability lies in the fact that filenames are not sanitized in any way and allow for directory traversal. This means that a specially crafted id attribute of the giphy tag could contain a special file path that would write a file outside Zoom’s install directory and indeed in any directory writable by the current user,” reads the advisory.

TALOS-2020-1056/CVE-2020-6110

Another one is the exploitable vulnerability that exists with Zoom Client version 4.6.10 & 4.6.11. A crafted message from the attacker leads to arbitrary binary planting which could be abused to achieve arbitrary code execution.

An attacker could trigger the vulnerability by sending a crafted message to a target user or a group to trigger this vulnerability, according to the advisory.

Starting this coronavirus pandemic, many companies around the world asked employees to work from home, which increases the usage of video conferencing apps.

In the current situation, most of the organization has been closed and the employees are provided with options to work from home. So the RDP and the video communication platforms are heavily targeted by attackers.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Apache

Apache Cassandra Vulnerability Allows Attackers to Gain Access Data Centers

In a recent security advisory, a moderate-severity vulnerability has been identified in Apache Cassandra,...
cyber security

1- Click RCE Vulnerability in Voyager PHP Allow Attackers Execute Arbitrary Code

A recently disclosed security vulnerability in the Voyager PHP package, a popular tool for...
Android

Android Security Update Fixes Linux Kernel RCE Flaw Allow Read/Write Access

On February 3, 2025, Google published its February Android Security Bulletin, which addresses a...
ANY RUN

ANY.RUN Enhances Malware Detection and Performance to Combat 2025 Cyber Threats

As cyber threats grow more sophisticated, ANY.RUN has unveiled a series of updates aimed...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

Register Now

More like this

Apple

Apple Service Ticket Portal Vulnerability Leaks Sensitive Information

Apple, one of the most trusted technology brands in the world, recently faced a...
CVE/vulnerability

Hackers Exploiting 7-Zip Zero-Day Vulnerability to Deploy SmokeLoader Malware

A newly identified zero-day vulnerability in the widely used 7-Zip archiving software, designated as...
CVE/vulnerability

Multiple Flaws in Dell PowerProtect Allow System Compromise

Dell has released a Critical Security Update (DSA-2025-022) for its PowerProtect Data Domain (DD) systems to...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2024 GBHackers On Security - All Rights Reserved