Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN603 _____________________________________________________________________ DATE : 11/09/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Zoom Workplace. ===================================================================== https://www.zoom.com/en/trust/security-bulletin/zsb-25032/ https://www.zoom.com/en/trust/security-bulletin/zsb-25034/ https://www.zoom.com/en/trust/security-bulletin/zsb-25031/ https://www.zoom.com/en/trust/security-bulletin/zsb-25035/ https://www.zoom.com/en/trust/security-bulletin/zsb-25036/ https://www.zoom.com/en/trust/security-bulletin/zsb-25037/ _____________________________________________________________________ Zoom Workplace for Windows on ARM - Missing Authorization Bulletin: ZSB-25032 CVEID: CVE-2025-49459 CVSS Severity: High CVSS Score: 7,3 CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description: Missing authorization in the installer for Zoom Workplace for Windows on ARM before version 6.5.0 may allow an authenticated user to conduct an escalation of privilege via local access. Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. Affected Products: Zoom Workplace for Windows on ARM before version 6.5.0 Source: Reported by sim0nsecurity. Revision Date Description 1.0 09/09/2025 Initial publication. _____________________________________________________________________ Zoom Workplace Clients - Cross-site Scripting Bulletin: ZSB-25034 CVEID: CVE-2025-49461 CVSS Severity: Medium CVSS Score: 4,3 CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L Description: Cross-site scripting in certain Zoom Workplace Clients may allow an unauthenticated user to conduct a denial of service via network access. Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. Affected Products: Zoom Workplace Desktop for Windows before version 6.5.0 Zoom Workplace Desktop for macOS before version 6.5.0 Zoom Workplace Desktop for Linux before version 6.5.0 Zoom Workplace App for iOS before version 6.5.0 Zoom Workplace VDI Client for Windows before version 6.3.14 and 6.4.12 in their respective tracks. Zoom Rooms Controller for Windows before version 6.5.0 Zoom Rooms Controller for macOS before version 6.5.0 Zoom Rooms Controller for Linux before version 6.5.0 Zoom Rooms Controller for Android before version 6.5.0 Zoom Rooms Client for Windows before version 6.5.0 Zoom Rooms Client for macOS before version 6.5.0 Zoom Rooms Client for Android before version 6.5.0 Zoom Rooms Client for iPad before version 6.5.0 Zoom Meeting SDK for Windows before version 6.5.0 Zoom Meeting SDK for Android before version 6.5.0 Zoom Meeting SDK for macOS before version 6.5.0 Zoom Meeting SDK for Linux before version 6.5.0 Source: Reported by Zoom Engineering Security. Revision Date Description 1.0 09/09/2025 Initial publication. _____________________________________________________________________ Zoom Workplace Clients - Buffer Overflow Bulletin: ZSB-25031 CVEID: CVE-2025-49458 CVSS Severity: Medium CVSS Score: 6,5 CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Description: Buffer overflow in certain Zoom Workplace Clients may allow an authenticated user to conduct a denial of service via network access. Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. Affected Products: Zoom Workplace for Windows before version 6.5.0 Zoom Workplace for macOS before version 6.5.0 Zoom Workplace for Linux before version 6.5.0 Zoom Workplace VDI Client for Windows before version 6.3.14 and 6.4.12 in their respective tracks Zoom Rooms for Windows before version 6.5.0 Zoom Rooms for macOS before version 6.5.0 Zoom Rooms for iOS before version 6.5.0 Zoom Rooms Controller for Windows before version 6.5.0 Zoom Rooms Controller for macOS before version 6.5.0 Zoom Rooms Controller for Linux before version 6.5.0 Zoom Meeting SDK for Windows before version 6.5.0 Zoom Meeting SDK for macOS before version 6.5.0 Zoom Meeting SDK for Linux before version 6.5.0 Source: Zoom Meeting SDK for Linux before version 6.5.0 Revision Date Description 1.0 09/09/2025 Initial publication. _____________________________________________________________________ Zoom Workplace Clients for Windows - Incorrect Authorization Bulletin: ZSB-25035 CVEID: CVE-2025-58134 CVSS Severity: Medium CVSS Score: 4,3 CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Description: Incorrect authorization in certain Zoom Workplace Clients for Windows may allow an authenticated user to conduct an impact to integrity via network access. Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. Affected Products: Zoom Workplace Desktop for Windows before version 6.5.0 Zoom Workplace VDI Client for Windows before version 6.3.14 and 6.4.12 in their respective tracks. Zoom Rooms Controller for Windows before version 6.5.0 Zoom Rooms Client for Windows before version 6.5.0 Zoom Meeting SDK for Windows before version 6.5.0 Source: Reported by Zoom Engineering Security. Revision Date Description 1.0 09/09/2025 Initial publication. _____________________________________________________________________ Zoom Workplace Clients for Windows - Improper Action Enforcement Bulletin: ZSB-25036 CVEID: CVE-2025-58135 CVSS Severity: Medium CVSS Score: 5,3 CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Description: Improper action enforcement in certain Zoom Workplace Clients for Windows may allow an unauthenticated user to conduct a disclosure of information via network access. Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. Affected Products: Zoom Workplace Desktop for Windows before version 6.5.0 Zoom Workplace VDI Client for Windows before version 6.3.14 and 6.4.12 in their respective tracks. Zoom Rooms Controller for Windows before version 6.5.0 Zoom Rooms Client for Windows before version 6.5.0 Zoom Meeting SDK for Windows before version 6.5.0 Source: Reported by Zoom Offensive Security. Revision Date Description 1.0 09/09/2025 Initial publication. _____________________________________________________________________ Zoom Workplace VDI Plugin macOS Universal installer for VMware Horizon - Race Condition Bulletin: ZSB-25037 CVEID: CVE-2025-58131 CVSS Severity: Medium CVSS Score: 6,6 CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N Description: Race condition in the Zoom Workplace VDI Plugin macOS Universal installer for VMware Horizon before version 6.4.10 (or before 6.2.15 and 6.3.12 in their respective tracks) may allow an authenticated user to conduct a disclosure of information via network access. Users can help keep themselves secure by applying the latest updates available at https://zoom.us/download. Affected Products: Zoom Workplace VDI Plugin macOS Universal installer for VMware Horizon before version 6.4.10 (or before 6.2.15 and 6.3.12 in their respective tracks) Source: Reported by an anonymous researcher. Revision Date Description 1.0 09/09/2025 Initial publication. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================