Zoom and Xerox have resolved significant security vulnerabilities in Zoom Clients for Windows and Xerox FreeFlow Core that posed risks of privilege escalation and remote code execution.
One of the flaws affecting Zoom Clients for Windows is identified as CVE-2025-49457, with a CVSS score of 9.6. This issue stems from an untrusted search path, which could enable privilege escalation.
According to a security bulletin released by Zoom on Tuesday, "Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access."
The vulnerability was discovered by Zoom’s Offensive Security team and impacts the following products:
- Zoom Workplace for Windows prior to version 6.3.10
- Zoom Workplace VDI for Windows prior to version 6.3.10 (excluding versions 6.1.16 and 6.2.12)
- Zoom Rooms for Windows prior to version 6.3.10
- Zoom Rooms Controller for Windows prior to version 6.3.10
- Zoom Meeting SDK for Windows prior to version 6.3.10
In a separate disclosure, multiple vulnerabilities have been found in Xerox FreeFlow Core. The most critical of these could allow remote code execution. These issues have been fixed in version 8.0.4 and include:
- CVE-2025-8355 (CVSS score: 7.5), an XML External Entity (XXE) injection vulnerability that could lead to server-side request forgery (SSRF)
- CVE-2025-8356 (CVSS score: 9.8), a path traversal vulnerability that could result in remote code execution
Horizon3.ai noted that these vulnerabilities are relatively easy to exploit. If successfully leveraged, they could allow attackers to run arbitrary commands on the affected systems, access sensitive data, or move laterally within a corporate network to expand their attack.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
