Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2022-28756

CVE-2022-28756: Zoom Meetings Privilege Escalation Flaw

CVE-2022-28756 is a privilege escalation vulnerability in Zoom Meetings for macOS that allows low-privileged users to gain root access. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2022-28756 Overview

CVE-2022-28756 is a local privilege escalation vulnerability affecting the Zoom Client for Meetings for macOS (Standard and for IT Admin). The vulnerability exists in the auto update process, where a local low-privileged user can exploit the flaw to escalate their privileges to root. This vulnerability impacts Zoom Client versions starting with 5.7.3 and before 5.11.5.

Critical Impact

Local attackers with low-privileged access can escalate to root privileges, potentially gaining complete control over macOS systems running vulnerable Zoom Client versions.

Affected Products

  • Zoom Client for Meetings for macOS (Standard) versions 5.7.3 to before 5.11.5
  • Zoom Client for Meetings for macOS (IT Admin) versions 5.7.3 to before 5.11.5

Discovery Timeline

  • 2022-08-15 - CVE-2022-28756 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-28756

Vulnerability Analysis

This privilege escalation vulnerability resides in the Zoom Client for Meetings auto update mechanism on macOS. The flaw is associated with CWE-347 (Improper Verification of Cryptographic Signature), indicating that the auto update process fails to properly validate cryptographic signatures during the update workflow. This allows a local attacker with low privileges to manipulate the update process and execute code with elevated root privileges.

The attack requires local access to the target system but does not require user interaction to exploit. Once exploited, an attacker gains complete control over the confidentiality, integrity, and availability of the affected system.

Root Cause

The root cause of CVE-2022-28756 is improper verification of cryptographic signatures (CWE-347) in the Zoom auto update process. The update mechanism does not adequately validate that update packages are legitimately signed by Zoom before executing them with elevated privileges. This cryptographic signature verification weakness allows attackers to potentially inject malicious code into the update workflow.

Attack Vector

The attack vector for CVE-2022-28756 is local, meaning an attacker must have existing access to the target macOS system. The attacker can exploit the vulnerable auto update process by:

  1. Gaining initial access to the system with a low-privileged user account
  2. Manipulating the auto update mechanism by exploiting the signature verification weakness
  3. Injecting or substituting malicious code that gets executed with root privileges during the update process
  4. Achieving full root access to the compromised macOS system

The vulnerability requires low attack complexity and no user interaction, making it readily exploitable once an attacker has local system access. For detailed technical information, refer to the Zoom Security Bulletin.

Detection Methods for CVE-2022-28756

Indicators of Compromise

  • Unexpected processes spawned by the Zoom auto update mechanism running with root privileges
  • Suspicious modifications to Zoom update-related files or directories on macOS
  • Anomalous privilege escalation events associated with the Zoom application
  • Unauthorized root-level access originating from low-privileged user sessions

Detection Strategies

  • Monitor for unusual process hierarchies where Zoom-related processes spawn root-privileged child processes
  • Implement endpoint detection rules to alert on privilege escalation attempts involving the Zoom Client auto update functionality
  • Deploy file integrity monitoring on Zoom installation directories and update cache locations
  • Analyze system logs for signs of signature verification bypass or update manipulation

Monitoring Recommendations

  • Enable comprehensive macOS system logging to capture privilege escalation events
  • Configure security tooling to alert on root privilege acquisition by non-administrative users
  • Monitor Zoom Client update activities for anomalous behavior patterns
  • Review endpoint telemetry for suspicious activity correlating with Zoom update processes

How to Mitigate CVE-2022-28756

Immediate Actions Required

  • Update Zoom Client for Meetings for macOS to version 5.11.5 or later immediately
  • Audit systems to identify all instances of vulnerable Zoom Client versions (5.7.3 to 5.11.4)
  • Review system logs for any signs of exploitation attempts targeting the auto update mechanism
  • Implement enhanced monitoring for privilege escalation activities on macOS endpoints

Patch Information

Zoom has addressed this vulnerability in Zoom Client for Meetings for macOS version 5.11.5 and later. Organizations should update all affected macOS clients to the patched version as soon as possible. The official security advisory and update information is available at the Zoom Security Bulletin.

Workarounds

  • Restrict local user access to macOS systems running vulnerable Zoom Client versions where updates cannot be immediately applied
  • Implement application whitelisting to control execution of update-related processes
  • Consider temporarily disabling automatic updates and performing manual updates through a verified secure channel
  • Apply principle of least privilege to limit exposure of low-privileged accounts that could be leveraged for exploitation
bash
# Check current Zoom Client version on macOS
/Applications/zoom.us.app/Contents/MacOS/zoom.us --version

# Verify Zoom Client has been updated to patched version (5.11.5 or later)
# If version is below 5.11.5, update immediately via:
# Zoom menu > Check for Updates, or download from zoom.us

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne