Article Details

Zoom patches critical privilege elevation flaw in Windows apps. The Zoom desktop and VDI clients and the Meeting SDK for Windows are vulnerable to an improper input validation flaw that could allow an unauthenticated attacker to conduct privilege escalation on the target system over the network. Zoom is a popular cloud-based video conferencing service for corporate meetings, educational lessons, social interactions/gatherings, and more. It offers screen sharing, meeting recording, custom backgrounds, in-meeting chat, and various productivity-focused features. The software's popularity surged during the COVID-19 pandemic when many organizations turned to remote solutions to maintain operations and business continuity. By April 2020, it reached a peak of 300 million daily meeting participants. The newly disclosed flaw is tracked as CVE-2024-24691 and was discovered by Zoom's offensive security team, receiving a CVSS v3.1 score of 9.6, rating it "critical." The vulnerability impacts the following product versions: The short description of the flaw does not specify how it could be exploited or what the repercussions might be, but the CVSS vector indicates that it requires some user interaction. This could involve clicking a link, opening a message attachment, or performing some other action that the attacker could leverage to exploit CVE-2024-24691. For most people, Zoom should automatically prompts users to update to the latest version. However, you can manually download and install the latest release of the desktop client for Windows, version 5.17.7, from here. Apart from the improper input validation flaw, the latest Zoom release also addresses the following six vulnerabilities: Zoom users should apply the security update as soon as possible to mitigate the likelihood of external actors elevating their privileges to a level that allows them to steal sensitive data, disrupt or eavesdrop on meetings, and install backdoors.