Zoom App Flaws: A Golden Ticket for Attacker Privilege Escalation

December 14, 2023
1 min read

Zoom, the popular video conferencing software, has experienced security issues with its desktop and mobile apps. The flaws identified could allow attackers to attempt a privilege escalation, gaining unauthorized access to higher rights, permissions, or entitlements. Misconfiguration or inadequate access controls could enable this.

Key vulnerabilities include:

  • <span>CVE-2023-43583 – Cryptographic Issues</span>: This medium-severity vulnerability affects Zoom SDKs for Android and iOS, and Zoom Mobile App for Android and iOS, possibly allowing a privileged user to disclose confidential information through network access.
  • <span>CVE-2023-43585 – Improper Access Control</span>: This high-severity flaw tracked could allow authenticated users to disclose information through network access on Zoom Mobile App for iOS and Zoom SDKs for iOS before version 5.16.5.
  • <span>CVE-2023-43586 – Path Traversal</span>: This high-severity bug gives authorized users the ability to carry out an escalation of privilege via network access in various Zoom Desktop Client and VDI Client for Windows, and Zoom SDKs for Windows.
  • Several other high-severity bugs involving path traversal, untrusted search paths, insufficient verification of data authenticity, improper input validation and improper neutralization of special elements have been identified.

These vulnerabilities, particularly those of critical severity, could lead to significant breaches if exploited by unauthorized users who could then escalate privileges via network access. Users are urged to update their software to the most recent versions available to ensure all security updates are applied and their devices are safeguarded.

These issues underline the need for continual evaluation and tightening of security measures on widely used platforms like Zoom. The company has been urged to act proactively to identify potential flaws and to regularly update its apps to minimize risks of cyber attacks.

Security consultants recommend keeping all apps and devices updated to the latest versions and maintaining robust security practices, such as using secure connections and enforcing strong authentication mechanisms to mitigate such risks.

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and