InfoSecBulletin Cybersecurity for mankind
Zoom has released security updates for its Windows clients to fix two major vulnerabilities, CVE-2025-49456 and CVE-2025-49457, which could allow attackers to exploit race conditions and untrusted search paths.
The first flaw, CVE-2025-49456 (CVSS 6.2), is a race condition in the installer for certain Zoom Clients for Windows. According to Zoom, it “may allow an unauthenticated user to impact application integrity via local access.”
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
This means that a local attacker could potentially manipulate the installation process to alter or replace application files before they are properly secured, potentially enabling malicious code execution.
The second and more severe issue, CVE-2025-49457 (CVSS 9.6), is an untrusted search path vulnerability in certain Zoom Clients for Windows. Zoom warns that it “may allow an unauthenticated user to conduct an escalation of privilege via network access.”
By placing a malicious file in a location searched before the legitimate file path, an attacker—potentially over a network share—could trick the application into executing malicious code with elevated privileges.
Both vulnerabilities have been fixed in the latest releases. Zoom advises all users to immediately update their clients to the patched versions via the official Zoom Download Center.
