#VU86517 Input validation error in Zoom Video Communications, Inc. products - CVE-2024-24691

Cybersecurity Help s.r.o.

Published: 2024-02-14

Vulnerability identifier: #VU86517

Vulnerability risk: High

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-24691

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Zoom Workplace Desktop App for Windows
Client/Desktop applications / Office applications
Zoom Rooms for Windows
Client/Desktop applications / Office applications
Virtual Desktop Infrastructure (VDI)
Server applications / Conferencing, Collaboration and VoIP solutions
Zoom Meeting SDK for Windows
Universal components / Libraries / Software for developers

Vendor: Zoom Video Communications, Inc.

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim to click on a specially crafted link and execute arbitrary code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Zoom Workplace Desktop App for Windows: 5.0.0 23168.0427 - 5.16.2 22807

Virtual Desktop Infrastructure (VDI): 5.0.1 - 5.16.0 24280

Zoom Meeting SDK for Windows: 5.9.0 - 5.16.2

Zoom Rooms for Windows: 5.0.0 1420.0426 - 5.16.10 3425

External links
https://www.zoom.com/en/trust/security-bulletin/ZSB-24008/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Remote code execution in Zoom client for Windows