Zoom has disclosed two essential safety vulnerabilities in its Zoom Rooms software program for Home windows and macOS, which might permit attackers with native entry to escalate privileges or expose delicate data.
Tracked as ZSB-25050 and ZSB-25051, these flaws have an effect on variations prior to six.6.0 and carry high-to-medium CVSS scores. Organizations counting on Zoom Rooms for convention setups face elevated dangers in shared environments like boardrooms or huddle areas.
The problems stem from a software program downgrade safety failure on Home windows and improper exterior management of file names on macOS, each of that are exploitable by way of native entry. Safety groups urge instant patching to stop unauthorized privilege positive factors or knowledge disclosures.
Home windows Software program Downgrade Safety Bypassed (ZSB-25050)
Zoom Rooms for Home windows earlier than model 6.6.0 suffers from a safety mechanism failure, enabling unauthenticated native customers to escalate privileges. This high-severity flaw, reported by an nameless researcher, might let attackers achieve elevated management over the system.
BulletinCVE IDCVSS SeverityCVSS ScoreVector StringDescriptionZSB-25050CVE-2025-67460High7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HSoftware downgrade safety failure permits unauthenticated privilege escalation by way of native entry.
Affected Merchandise: Zoom Rooms for Home windows < 6.6.0
macOS File Path Management Vulnerability (ZSB-25051)
On macOS, an authenticated person can exploit exterior management of file names or paths to reveal delicate data. This medium-risk subject requires person interplay however might leak confidential knowledge in enterprise deployments.
BulletinCVE IDCVSS SeverityCVSS ScoreVector StringDescriptionZSB-25051CVE-2025-67461Medium5.0CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:NExternal management of file identify/path permits data disclosure by way of native entry.
Affected Merchandise: Zoom Rooms for macOS < 6.6.0
Zoom recommends updating to model 6.6.0 or later by way of the official obtain web page. No proof of energetic exploitation exists but, however the local-access vector fits insider threats or compromised endpoints.
These flaws spotlight ongoing dangers in collaboration instruments, particularly post-hybrid work shifts. Enterprises ought to audit Zoom Rooms deployments, implement least-privilege entry, and monitor for downgrade makes an attempt.
CISA has not but issued alerts, however vulnerability trackers like NVD will quickly listing these CVEs.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
