Saturday, February 15, 2025
HomeCyber Security NewsBeware! Hackers Can Now Exploit a Security Flaw in Zoom Client

Beware! Hackers Can Now Exploit a Security Flaw in Zoom Client

Published on

SIEM as a Service

Follow Us on Google News

The popular video messaging platform Zoom has discovered multiple vulnerabilities affecting Zoom Clients. These vulnerabilities might allow an unauthorized user to carry out denial-of-service, privilege escalation, and information disclosure attacks.

To receive the most recent security updates and bug fixes, Zoom advises users to update to the most recent version of the Zoom software.

High Severity Vulnerabilities Impacting Zoom Clients

Improper Authentication – CVE-2023-39215

With a CVSS Base Score of 7.1 and a High severity vulnerability listed as CVE-2023-39215, improper authentication in Zoom clients may enable an authenticated user to utilize network access to perform a denial of service attack.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.15.5
  • Zoom Desktop Client for macOS before version 5.15.5
  • Zoom Desktop Client for Linux before version 5.15.5
  • Zoom VDI Client before version 5.14.12
  • Zoom VDI Client before version 5.15.4
  • Zoom Mobile App for Android before version 5.15.5
  • Zoom Mobile App for iOS before version 5.15.5
  • Zoom Meeting SDK’s before version 5.15.5

Exposure of Sensitive Information – CVE-2023-39214

A high-severity vulnerability with a CVSS Base Score of 7.6 is identified as CVE-2023-39214. It involves the exposure of sensitive data in Zoom Client versions before 5.15.5, which could enable a denial of service via network access for an authenticated user.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.15.5
  • Zoom Desktop Client for macOS before version 5.15.5
  • Zoom Desktop Client for Linux before version 5.15.5
  • Zoom Mobile App for Android before version 5.15.5
  • Zoom Mobile App for iOS before version 5.15.5
  • Zoom Rooms for iPad before version 5.15.5
  • Zoom Rooms for Android before version 5.15.5
  • Zoom Rooms for Windows before version 5.15.5
  • Zoom Rooms for macOS before version 5.15.5

Client-Side Enforcement of Server-Side Security – CVE-2023-36535

Before version 5.14.10, client-side enforcement of server-side security in Zoom clients may have allowed an authenticated user to enable information exposure via network access.

This high-severity vulnerability was identified as CVE-2023-36535 and has a CVSS Base Score of 7.1.

Affected Products:

  • Zoom Clients for Windows before version 5.14.10
  • Zoom Desktop Client for macOS before version 5.14.10
  • Zoom Desktop Client for Linux before version 5.14.10
  • Zoom VDI Host and Plugin before version 5.14.10
  • Zoom Mobile App for Android before version 5.14.10
  • Zoom Mobile App for iOS before version 5.14.10
  • Zoom Rooms for iPad before version 5.14.10
  • Zoom Rooms for Android before version 5.14.10
  • Zoom Rooms for Windows before version 5.14.10
  • Zoom Rooms for macOS before version 5.14.10

Medium and Low-Severity Vulnerabilities Impacting Zoom Clients

Improper Authorization (CVE-2023-43582), Insufficient Control Flow Management (CVE-2023-43588), Cryptographic Issues (CVE-2023-39199), Buffer Overflow (CVE-2023-39206, CVE-2023-39204, CVE-2023-36532), Improper Conditions Check (CVE-2023-39205), 

Client-Side Enforcement of Server-Side Security (CVE-2023-39218), Improper Input Validation (CVE-2023-39217).

Update Now!

Users are advised to stay safe by installing the most recent updates or getting the most recent Zoom software which includes all security updates.

Patch Manager Plus, the one-stop solution for automated updates of over 850 third-party applications: Try Free Trial.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...

North Korean IT Workers Penetrate Global Firms to Install System Backdoors

In a concerning escalation of cyber threats, North Korean IT operatives have infiltrated global...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Fake BSOD Attack Launched via Malicious Python Script

A peculiar malicious Python script has surfaced, employing an unusual and amusing anti-analysis trick...

SocGholish Malware Dropped from Hacked Web Pages using Weaponized ZIP Files

A recent wave of cyberattacks leveraging the SocGholish malware framework has been observed using...

Lazarus Group Targets Developers Worldwide with New Malware Tactic

North Korea's Lazarus Group, a state-sponsored cybercriminal organization, has launched a sophisticated global campaign...