- 270/2022
- High
Zoom has released security updates to fix vulnerabilities in multiple products.
The severity of the addressed vulnerabilities could allow the local attacker to execute arbitrary code or gain privileges.
Samples of the addressed vulnerabilities:
1. DLL injection in Zoom Windows Clients (CVE-2022-28766):
- CVSS: 8.1
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Consequences: Gain Access
2. Local Privilege Escalation in Zoom Rooms Installer for Windows (CVE-2022-36924):
- CVSS: 8.8
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Privileges
Affected Products:
- Zoom Client for Meetings for Windows (32-bit) prior to 5.12.6
- Zoom VDI Windows Meeting Client for Windows (32-bit) prior to 5.12.6
- Zoom Rooms for Conference Room for Windows (32-bit) prior to 5.12.6
- Zoom Rooms Installer for Windows before version 5.12.6
- Zoom Client for Meetings Installer for macOS before version 5.12.6
Vulnerabilities
- CVE-2022-28766
- CVE-2022-36924
- CVE-2022-28768
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.