Zoom Video Communications has disclosed several security vulnerabilities in its Workplace Apps for Windows, macOS, Linux, iOS, and Android platforms.
These flaws, which range from medium to high severity, could lead to issues like unauthorized access, denial-of-service (DoS), or remote code execution if exploited.
One of the more serious vulnerabilities (CVE-2025-30663) is a time-of-check to time-of-use (TOCTOU) issue caused by a race condition in the app. With a CVSS 4.0 score of 5.9, this flaw could let a local attacker exploit timing gaps to access sensitive data or increase their system privileges. Although it requires access to the affected device and valid login credentials, it may still pose risks, especially in enterprise settings.
Another, CVE-2025-27440, with a CVSS score of 8.5, describes a heap overflow in some Zoom Workplace Apps which may allow an unsanctioned user to conduct an escalation of privilege via network access.
CVE-2025-0151, also with an 8.5 severity score, says that use after free in some Zoom Workplace Apps could allow a bad actor to conduct an escalation of privilege via network access.
Other vulnerabilities (CVE-2025-30665 through CVE-2025-30668) involve NULL pointer dereference errors. These could lead to app crashes or, in some cases, let an attacker disrupt service or run unauthorized code.
In its advisory, Zoom said: “Zoom does not provide guidance on vulnerability impacts to individual customers due to a Zoom Security Bulletin or provide additional details about a vulnerability. We recommend users to update to the latest version of Zoom software in order to get the latest fixes and security improvements.”
Commenting on this is Erich Kron, Security Awareness Advocate at KnowBe4, says: “Given the number of people that use and rely on Zoom for their organisations’ day-to-day activities, this type of flaw (CVE-2025-30663) could be very significant. Deepfake audio and video have already been an issue, and in this case having a Zoom meeting initiated from a legitimate account could be the difference between a person believing the caller and not believing them.
Fortunately, Kron says in this instance, exploiting is not something that can be done easily remotely, so physical access is required, however, it demonstrates what may be possible with other future vulnerabilities that could be remotely exploited.
Due to the proliferation of deepfakes and live action scams, as opposed to just email phishing, organisations would benefit from ensuring their HDR program includes a focus on ways to ensure the caller is legitimate.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.