zoom-clients
Behoben in
6.4.5
CVE-2025-49462 describes a Cross-Site Scripting (XSS) vulnerability affecting certain Zoom Clients versions prior to 6.4.5. This flaw allows an authenticated user to potentially conduct a disclosure of information through network access. The vulnerability has been resolved with the release of version 6.4.5, and users are strongly encouraged to update their clients.
The XSS vulnerability in Zoom Clients allows an attacker, once authenticated, to inject malicious scripts into web pages viewed by other users. This could lead to the disclosure of sensitive information, such as session cookies, authentication tokens, or personally identifiable information (PII). An attacker could potentially leverage this to impersonate a user, access their account, and perform actions on their behalf. While the CVSS score is LOW, the potential for information disclosure and account compromise warrants immediate attention, especially given the widespread use of Zoom for business and personal communications.
CVE-2025-49462 was publicly disclosed on 2025-07-10. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the LOW CVSS score and lack of public exploits, the probability of active exploitation is currently considered low, but continuous monitoring is recommended.
Organizations heavily reliant on Zoom for internal and external communication are at increased risk. Users with elevated privileges within the Zoom client, such as administrators or meeting hosts, are particularly vulnerable. Environments with legacy Zoom client deployments or those lacking robust patch management processes are also at higher risk.
• zoom / client: Monitor Zoom client logs for unusual script execution patterns. Examine network traffic for suspicious payloads.
Get-Process zoom | Select-Object -ExpandProperty CommandLine• generic web: Check Zoom client update mechanisms for signs of tampering or unauthorized modifications. Review Zoom client configuration files for any unusual settings.
disclosure
Exploit-Status
EPSS
0.01% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-49462 is to upgrade Zoom Clients to version 6.4.5 or later. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider implementing stricter input validation on user-supplied data within the Zoom client. While a WAF is unlikely to directly mitigate this client-side vulnerability, reviewing Zoom client network traffic for suspicious script injections could provide an early warning. After upgrading, confirm the fix by attempting to trigger the XSS vulnerability using known attack vectors and verifying that the client properly sanitizes input.
Actualice a la versión 6.4.5 o posterior de Zoom Clients. Esta actualización corrige la vulnerabilidad de Cross-site Scripting (XSS) que podría permitir la divulgación de información. Descargue la última versión desde el sitio web oficial de Zoom o a través de los canales de actualización habituales.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-49462 is a Cross-Site Scripting (XSS) vulnerability affecting Zoom Clients versions 0–6.4.5, allowing potential information disclosure.
If you are using a Zoom Client version between 0 and 6.4.5, you are potentially affected by this XSS vulnerability.
Upgrade your Zoom Clients to version 6.4.5 or later to resolve this vulnerability.
There are currently no publicly known active exploitation campaigns for CVE-2025-49462.
Refer to the official Zoom security advisory for CVE-2025-49462 on the Zoom security website.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.