Critical Privilege Elevation Flaw in Zoom’s Windows App Patched
February 14, 2024
Zoom, a cloud-based video conferencing service used for corporate meetings, educational sessions, and social gatherings, has patched a critical flaw in its Windows applications. The flaw, identified as CVE-2024-24691, was found in Zoom's desktop and VDI clients as well as the Meeting SDK for Windows. This improper input validation flaw could have allowed an unauthenticated attacker to escalate their privileges on a target system over the network. Zoom's popularity has soared during the COVID-19 pandemic, with many organizations turning to remote solutions to maintain operations. By April 2020, the platform was hosting 300 million daily meeting participants.
The flaw was discovered by Zoom's offensive security team and was given a CVSS v3.1 score of 9.6, marking it as 'critical'. The vulnerability affects the following product versions: The specifics of how the flaw could be exploited or the potential repercussions were not detailed, but the CVSS vector suggests that some user interaction would be necessary. This could involve clicking a link, opening a message attachment, or some other action that an attacker could use to exploit CVE-2024-24691.
For most users, Zoom should automatically prompt an update to the latest version. However, users can also manually download and install the latest release of the desktop client for Windows, version 5.17.7. In addition to the critical flaw, the latest Zoom release also addresses six other vulnerabilities. Users are advised to apply the security update as soon as possible to reduce the risk of external actors elevating their privileges, which could enable them to steal sensitive data, disrupt or eavesdrop on meetings, and install backdoors.
Latest News
- CISA Issues Alert on Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability
- CISA Adds Two Microsoft Windows Bugs to Its Known Exploited Vulnerabilities Catalog
- Microsoft Warns of Critical Exchange Server Bug Exploited as Zero-Day
- Critical RCE Vulnerability in Microsoft Outlook: Easy to Exploit, Hard to Defend
- Windows Defender Zero-Day Exploited to Deliver DarkMe RAT: Microsoft Issues Patch
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.