Zoom Product Security Update Advisory (CVE-2024-24691, CVE-2024-24697)

Overview

 

An update has been made available to address a vulnerability in Zoom products. users of affected versions are encouraged to update to the latest version.

 

Affected Products

 

CVE-2024-24691

• Zoom Desktop Client for Windows versions earlier than 5.16.5
• Zoom VDI Client for Windows versions earlier than 5.16.10 (versions 5.14.14, 5.15.12 are not vulnerable)
• Zoom Rooms Client for Windows versions earlier than 5.17.0
• Zoom Meeting SDK for Windows versions lower than 5.16.5

 

CVE-2024-24697

• Zoom Desktop Client for Windows versions prior to 5.17.0
• Zoom VDI Client for Windows versions earlier than 5.17.5 (versions 5.15.15 and 5.16.12 are not vulnerable)
• Zoom Meeting SDK for Windows versions lower than 5.17.0
• Zoom Rooms Client for Windows versions lower than 5.17.0

 

Resolved Vulnerabilities

 

Privilege escalation vulnerability due to incorrect input validation in the Zoom product (CVE-2024-24691)
Privilege escalation vulnerability due to untrusted search path in the Zoom product (CVE-2024-24697)

 

Vulnerability Patches

 

Vulnerability patches were made available in the February 13, 2024 update. please follow the instructions on the reference site [1] to update to the latest vulnerability patch version.

 

Reference site

 

[1] Download Center
https://zoom.us/download?deviceId=10dacde1-e4b0-4195-99ab-2dd65789844f&_ics=1708065963153&irclickid=~chec8725ZVNGHCwsrszFwmnjimqrmruqpglfg8972SLHGBxmka90&_ga=2.26946045.1349879297.1708065641-212707252.1708065641
[2] Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows – Improper Input Validation
https://www.zoom.com/en/trust/security-bulletin/ZSB-24008/
[3] Zoom Clients – Untrusted Search Path
https://www.zoom.com/en/trust/security-bulletin/ZSB-24004/