Open Nav
Sign Up

Critical Privilege Elevation Flaw Patched in Zoom Windows Applications (CVE-2024-24691)

Bar Refael

February 15, 2024

Zoom has released a security update to address a critical vulnerability (CVE-2024-24691) in its Windows applications, including the Zoom Desktop Client, VDI Client, Meeting SDK, and Zoom Rooms Client. This flaw, discovered by Zoom’s offensive security team, has a CVSS v3.1 score of 9.6 and could allow an unauthenticated attacker to escalate privileges over the network. The vulnerability is due to improper input validation and requires some user interaction for exploitation. Users are urged to update their Zoom applications to the latest versions to mitigate the risk of attack.

Vulnerability Details:

  • CVE ID: CVE-2024-24691
  • Severity: Critical (CVSS v3.1 Score: 9.6)
  • Impact: Privilege Escalation
  • Affected Versions:
    • Zoom Desktop Client for Windows before version 5.16.5
    • Zoom VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 5.15.12)
    • Zoom Rooms Client for Windows before version 5.17.0
    • Zoom Meeting SDK for Windows before version 5.16.5

Mitigation and Recommendations:

  • Immediate Action: Users should update their Zoom applications to the latest versions to patch the vulnerability. The latest release for the desktop client is version 5.17.7.
  • Manual Update: If automatic updates are not enabled, users can manually download and install the latest version from the Zoom website.
  • Stay Informed: Users should stay informed about any future security updates or advisories from Zoom.

Additional Vulnerabilities Addressed:

The latest Zoom release also addresses six other vulnerabilities, including issues related to privilege escalation, information disclosure, and denial of service. Users should apply the security update to protect against these additional vulnerabilities.

Conclusion:

Zoom users are advised to apply the security update as soon as possible to protect against the critical privilege elevation flaw and other vulnerabilities. Staying updated and vigilant is crucial for maintaining the security of Zoom meetings and protecting sensitive data.

Stay safe and secured,

OP Innovate’s Research team.

Resources highlights

Critical Zero-Day in CrushFTP Exploited in the Wild (CVE-2025-54309)

A critical zero-day vulnerability in CrushFTP, CVE-2025-54309, is being actively exploited by threat actors to gain unauthenticated administrative access to vulnerable servers via HTTPS. The…

Read more >

CVE-2025-54309

Critical Zero-Day in Microsoft SharePoint Actively Exploited (CVE-2025-53770)

A newly discovered zero-day vulnerability in Microsoft SharePoint Server, tracked as CVE-2025-53770, is currently being exploited in active attacks against on-premises environments. The flaw, rated…

Read more >

CVE-2025-53770

Over 600 Laravel Applications Vulnerable to Remote Code Execution via Leaked APP_KEYs (CVE-2018-15133, CVE-2024-55556)

Security researchers have uncovered a major RCE threat affecting over 600 Laravel applications, triggered by leaked APP_KEYs found on public GitHub repositories. Laravel's APP_KEY, typically…

Read more >

CVE-2018-15133, CVE-2024-55556

CVE-2025-3648: “Count(er) Strike” Vulnerability in ServiceNow

CVE-2025-3648, dubbed “Count(er) Strike”, is a high-severity vulnerability (CVSS 8.2) in ServiceNow's Now Platform, discovered by Varonis Threat Labs. The flaw allows both authenticated and…

Read more >

CVE-2025-3648

What to Look for in a Pentesting Platform (Beyond Just Scans)

Penetration testing platforms are a great way to centralize vulnerability discovery and triage. However, when evaluating penetration testing platforms, many organizations make the mistake of…

Read more >

pentesting platform

CVE-2016-10033: Actively Exploited Remote Code Execution (RCE) Vulnerability in PHPMailer

CVE-2016-10033 is a critical remote code execution vulnerability in PHPMailer, a widely used PHP library for sending emails. The flaw lies in the mailSend function…

Read more >

CVE-2016-10033
Under Cyber Attack?

Fill out the form and we will contact you immediately.