A critical zero-day vulnerability has been found in Zoom – A video conferencing software, for Windows 7 or below. The vulnerability allows an attacker to execute remote code on the victim’s system without triggering any security warning. To successfully exploit this vulnerability, the attacker tricks a victim to perform operations like opening a crafted document.
An anonymous researcher found this zero-day vulnerability and shared it with Acros Security, who then reported to Zoom with several attack scenarios, a working proof of concept, and fix recommendations.
The flaw is present in all the supported versions of Zoom client for Windows but it can only be exploited in systems running Windows 7 or older Windows due to some system-specific configurations. Though Microsoft has ended official support for Windows 7, still millions of systems are running Windows 7.
0patch in their blog post stated that “this vulnerability is only exploitable on Windows 7 and earlier Windows versions. It is likely also exploitable on Windows Server 2008 R2 and earlier though we didn’t test that”
The vulnerability allows a remote attacker to execute arbitrary code on the affected system.
Zoom 5.1.2 and below for Windows.
Zoom 5.1.3 client release.