Unauthenticated Escalation of Privilege Vulnerability in Zoom Desktop Client for Windows

CVE-2024-24691

9.8CRITICAL

Key Information

Vendor
Zoom Video Communications, Inc.
Status
Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows
Vendor
CVE Published:
14 February 2024

Badges

🔥 No. 1 Trending😄 Trended📰 News Worthy

What is CVE-2024-24691?

CVE-2024-24691 is a vulnerability identified in the Zoom Desktop Client for Windows. This software facilitates online video conferencing and meetings, which are crucial for remote communication in various sectors. The vulnerability arises from improper input validation, allowing an unauthenticated user to escalate their privileges through network access. If exploited, this could provide unauthorized users with elevated access to features and functionalities of the application, potentially leading to serious security breaches within an organization.

Technical Details

The vulnerability specifically affects Zoom's Desktop Client, VDI Client, and Meeting SDK for Windows. The core issue pertains to the application’s failure to validate inputs correctly. This weakness could allow an attacker, without prior authentication, to manipulate the system in a manner that facilitates privilege escalation. As a result, attackers may gain access to sensitive system operations or user data, which could compromise the integrity of the Zoom environment.

Impact of the Vulnerability

  1. Unauthorized Access: The primary risk associated with CVE-2024-24691 is that it enables unauthorized users to gain elevated privileges within the affected systems, potentially allowing them to access sensitive information or execute uncontrolled actions.

  2. Data Exfiltration: With elevated privileges, attackers could extract sensitive data from conferencing sessions or user accounts, leading to potential data breaches and loss of confidentiality.

  3. Compromised System Integrity: The ability for an unauthenticated user to escalate privileges can lead to the manipulation or alteration of system settings, possibly affecting the overall stability and reliability of the Zoom services utilized by the organization.

Affected Version(s)

Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows = see references

News Articles

favicon imageMedium

Mitigate Zoom CVE-2024–24691

Mitigating Zoom CVE-2024-24691 using Regedit / Group Policy

10 months ago

favicon imageCyberSecurityNews

Zoom Desktop Flaws Let Attackers Launch Privilege Escalation Attacks

Zoom has patched seven vulnerabilities in its desktop and mobile applications, particularly a critical flaw identified as CVE-2024-24691.

10 months ago

favicon imageSecurity Affairs

Zoom fixed critical flaw CVE-2024-24691 in Windows software

Zoom fixed 7 flaws in its desktop and mobile applications, including a critical bug (CVE-2024-24691) affecting the Windows software

10 months ago

Refferences

https://www.zoom.com/en/trust/security-bulletin/ZSB-24008/

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🔥

    Vulnerability reached the number 1 worldwide trending spot

  • Vulnerability started trending

  • Vulnerability published

  • First article discovered by securityonline.info

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database4 News Article(s)
.