Aug 13, 2025Ravie LakshmananVulnerability / Software program Safety
Zoom and Xerox have addressed vital safety flaws in Zoom Shoppers for Home windows and FreeFlow Core that would permit privilege escalation and distant code execution.
The vulnerability impacting Zoom Shoppers for Home windows, tracked as CVE-2025-49457 (CVSS rating: 9.6), pertains to a case of an untrusted search path that would pave the way in which for privilege escalation.
“Untrusted search path in sure Zoom Shoppers for Home windows might permit an unauthenticated person to conduct an escalation of privilege by way of community entry,” Zoom stated in a safety bulletin on Tuesday.
The problem, reported by its personal Offensive Safety staff, impacts the next merchandise –
Zoom Office for Home windows earlier than model 6.3.10
Zoom Office VDI for Home windows earlier than model 6.3.10 (besides 6.1.16 and 6.2.12)
Zoom Rooms for Home windows earlier than model 6.3.10
Zoom Rooms Controller for Home windows earlier than model 6.3.10
Zoom Assembly SDK for Home windows earlier than model 6.3.10
The disclosure comes as a number of vulnerabilities have been disclosed in Xerox FreeFlow Core, probably the most extreme of which may end in distant code execution. The problems, which have been addressed in model 8.0.4, embody –
CVE-2025-8355 (CVSS rating: 7.5) – XML Exterior Entity (XXE) injection vulnerability resulting in server-side request forgery (SSRF)
CVE-2025-8356 (CVSS rating: 9.8) – Path traversal vulnerability resulting in distant code execution
“These vulnerabilities are rudimentary to use and if exploited, may permit an attacker to execute arbitrary instructions on the affected system, steal delicate information, or try to maneuver laterally right into a given company surroundings to additional their assault,” Horizon3.ai stated.
