Introduction
Privilege escalation attacks against video conferencing platforms can lead to unauthorized access to sensitive meetings, data exfiltration, and lateral movement within enterprise networks. The recent disclosure of CVE-2025-49457 in Zoom Clients for Windows highlights a critical risk for organizations relying on this ubiquitous communication tool.
Technical Information
CVE-2025-49457 is an untrusted search path vulnerability in Zoom Clients for Windows. The flaw is due to improper handling of DLL search paths. When the Zoom client loads dynamic link libraries without specifying absolute paths, Windows follows its standard search order, which includes the application's directory, system directories, and any directories listed in the PATH environment variable. If an attacker can place a malicious DLL in a location that is searched before the legitimate library, the Zoom client may load and execute the attacker's code with the application's privileges.
This vulnerability is classified under CWE-426 (Untrusted Search Path). Exploitation does not require authentication and can be performed via network access, for example by placing malicious DLLs on network shares or remote file systems that are accessible to the target system. The attack results in privilege escalation, as the injected code runs in the context of the Zoom client, potentially with elevated permissions. No public code snippets or proof of concept are available at this time.
Patch Information
Zoom has released version 6.3.0 of its Workplace Apps and Meeting SDKs to address CVE-2025-49457 and several other high-severity vulnerabilities. Users and organizations must update all Zoom Windows clients to version 6.3.0 or later to mitigate this issue. The update is available through official Zoom distribution channels.
References for patch details:
Affected Systems and Versions
- Zoom Clients for Windows prior to version 6.3.0 are affected.
- All configurations of the Windows client are vulnerable if they allow attackers to place files in directories searched by the DLL loader.
- The vulnerability is not limited to a specific edition or deployment scenario.
Vendor Security History
Zoom has previously addressed similar vulnerabilities, including CVE-2024-24697, another untrusted search path issue in the Windows client. The company has improved its vulnerability response process, issuing timely advisories and coordinated patches. However, the recurrence of DLL search path flaws indicates ongoing challenges in secure Windows application development within Zoom's engineering practices.