Zoom has released a security update to address a critical vulnerability (CVE-2024-24691) in its Windows applications, including the Zoom Desktop Client, VDI Client, Meeting SDK, and Zoom Rooms Client. This flaw, discovered by Zoom’s offensive security team, has a CVSS v3.1 score of 9.6 and could allow an unauthenticated attacker to escalate privileges over the network. The vulnerability is due to improper input validation and requires some user interaction for exploitation. Users are urged to update their Zoom applications to the latest versions to mitigate the risk of attack.
Vulnerability Details:
- CVE ID: CVE-2024-24691
- Severity: Critical (CVSS v3.1 Score: 9.6)
- Impact: Privilege Escalation
- Affected Versions:
- Zoom Desktop Client for Windows before version 5.16.5
- Zoom VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 5.15.12)
- Zoom Rooms Client for Windows before version 5.17.0
- Zoom Meeting SDK for Windows before version 5.16.5
Mitigation and Recommendations:
- Immediate Action: Users should update their Zoom applications to the latest versions to patch the vulnerability. The latest release for the desktop client is version 5.17.7.
- Manual Update: If automatic updates are not enabled, users can manually download and install the latest version from the Zoom website.
- Stay Informed: Users should stay informed about any future security updates or advisories from Zoom.
Additional Vulnerabilities Addressed:
The latest Zoom release also addresses six other vulnerabilities, including issues related to privilege escalation, information disclosure, and denial of service. Users should apply the security update to protect against these additional vulnerabilities.
Conclusion:
Zoom users are advised to apply the security update as soon as possible to protect against the critical privilege elevation flaw and other vulnerabilities. Staying updated and vigilant is crucial for maintaining the security of Zoom meetings and protecting sensitive data.
Stay safe and secured,
OP Innovate’s Research team.
