Improper trust boundary implementation for SMB in Zoom Clients

CVE-2023-28597

7.5HIGH

Key Information

Vendor
Zoom
Status
Zoom (for Android, iOS, Linux, macOS, and Windows)
Zoom Rooms (for Android, iOS, Linux, macOS, and Windows)
Zoom VDI for Windows
Vendor
CVE Published:
27 March 2023

Summary

Zoom clients prior to 5.13.5 contain an improper trust boundary implementation vulnerability. If a victim saves a local recording to an SMB location and later opens it using a link from Zoom’s web portal, an attacker positioned on an adjacent network to the victim client could set up a malicious SMB server to respond to client requests, causing the client to execute attacker controlled executables. This could result in an attacker gaining access to a user's device and data, and remote code execution.

Affected Version(s)

Zoom (for Android, iOS, Linux, macOS, and Windows) < 5.13.5

Zoom Rooms (for Android, iOS, Linux, macOS, and Windows) < 5.13.5

Zoom VDI for Windows < 5.13.10

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Adjacent Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.