Zoom Workplace Apps Vulnerability Enables Malicious Script Injection Through XSS Flaws

A newly disclosed vulnerability in Zoom Workplace Apps (tracked as CVE-2025-27441 and CVE-2025-27442) allows attackers to inject malicious scripts via cross-site scripting (XSS) flaws, posing risks to millions of users globally.

The medium-severity vulnerability, with a CVSS score of 4.6, enables unauthenticated attackers on adjacent networks to compromise meeting integrity by executing arbitrary code.

Zoom has released patches for affected desktop, mobile, and SDK versions, urging users to update immediately to mitigate exploitation risks.

XSS Flaws Exploit Network Proximity

The XSS vulnerability stems from improper input validation in Zoom’s chat and collaboration features. Attackers on the same network segment—such as public Wi-Fi or corporate intranets—can inject malicious scripts into meeting sessions.

These scripts may hijack user sessions, steal credentials, or distribute malware. Unlike traditional XSS attacks requiring user interaction, this flaw exploits Zoom’s handling of network data packets, allowing passive injection during active meetings.

Security analysts highlight that the adjacency requirement lowers the attack barrier, as attackers need only network access rather than authentication. This raises concerns for enterprises using Zoom in shared office environments or hybrid work setups.

The vulnerability affects Zoom Workplace Desktop Apps (Windows, macOS, Linux), mobile apps (iOS/Android), and SDK integrations, with older versions prior to 6.3.10 being particularly susceptible.

The primary vulnerabilities, CVE-2025-27441 and CVE-2025-27442, are rooted in insufficient sanitization of user-supplied input.

Attackers craft malicious payloads disguised as meeting metadata, which Zoom fails to validate, leading to script execution in victims’ clients.

A secondary flaw, CVE-2025-27443 (CVSS 2.8), involves insecure variable initialization in Windows apps, allowing authenticated users to manipulate local configurations.

Three additional CVEs (CVE-2025-30670/30671/30672) rated 5.4 CVSS expose null pointer dereference bugs, enabling authenticated attackers to crash Zoom processes via network requests.

While these denial-of-service flaws require higher privileges, they compound risks for organizations delaying patches.

Zoom’s security bulletin ZSB-25013 lists over 15 impacted products, including:

• Zoom Workplace Desktop Apps (Windows/macOS/Linux) before 6.3.10.
• Zoom Rooms Controllers/Clients (all OS) before 6.4.0.
• Meeting SDKs (Windows/iOS/Android) before 6.3.10.

The company confirmed no active exploits but warned that proof-of-concept code could emerge rapidly, given the flaw’s simplicity. This mirrors past incidents, such as the 2020 credential-leakage vulnerability, where delayed patching led to widespread exploitation.

Mitigations

Zoom recommends updating to the latest versions via its download portal. IT teams should prioritize endpoints in multi-tenant environments, enforcing network segmentation and monitoring for anomalous meeting traffic.

Additionally, disabling automatic link previews in Zoom settings can reduce XSS attack surfaces.

This disclosure follows a March 2025 CERT-In advisory about a Zoom denial-of-service flaw (CVE-2025-0149) and aligns with historical patterns of memory-corruption vulnerabilities in the platform.

Threat actors have increasingly targeted collaboration tools, as seen in fake Zoom installers distributing BlackSuit ransomware and IcedID malware. These campaigns exploit user trust in legitimate software, underscoring the need for vigilant update practices.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!