Zoom has published multiple security bulletins addressing vulnerabilities in its Workplace applications, including Android, Windows, macOS, and VDI clients. These updates are crucial for organizations relying on Zoom for hybrid work, as they mitigate risks of unauthorized access and system disruptions.
Key Vulnerabilities Disclosed
The latest advisories highlight two high-severity flaws and several medium-rated issues, emphasizing the importance of timely patching:
- Improper Authorization in Android App (CVE-2025-64741)
A flaw in Zoom Workplace for Android could allow attackers to bypass access controls, enabling unauthorized meeting participation or access to sensitive session data. This affects versions prior to the latest patch. - Cryptographic Signature Verification Failure in VDI Client (CVE-2025-64740)
The Windows VDI Client suffers from improper signature validation, creating a risk of tampered updates or intercepted communications—an issue historically linked to supply chain attacks.
Medium-Severity Vulnerabilities
- Path Manipulation in Zoom Clients (CVE-2025-64739)
External control of file paths could lead to data leakage or code execution if combined with other exploits. - macOS Path Traversal (CVE-2025-64738)
Crafted inputs may overwrite critical files, underscoring the need for robust input sanitization. - Null Pointer Dereference in Windows Apps (CVE-2025-30670, CVE-2025-30671)
While not exploitable for code execution, these flaws can cause crashes and denial-of-service conditions, disrupting business operations.
Why This Matters
Cybersecurity experts warn that collaboration tools remain prime targets for attackers. Exploiting these vulnerabilities could lead to privilege escalation, data breaches, or operational downtime.
Recommended Actions
- Update Immediately: Install the latest versions of Zoom Workplace across all platforms.
- Enable Multi-Factor Authentication: Reduce the risk of unauthorized access.
- Monitor for Anomalies: Watch for unusual app behavior or system crashes.
Zoom has addressed over a dozen vulnerabilities since August 2025, reinforcing the need for proactive patch management. CVSS scores for the high-severity flaws are expected to exceed 7.5, making these updates critical for enterprise security.
Bottom Line: Timely updates remain your best defense against evolving threats in unified communication platforms.
