CVE-2023-28597 Overview
CVE-2023-28597 is an improper trust boundary implementation vulnerability affecting Zoom clients prior to version 5.13.5. The vulnerability exists in how Zoom handles local recordings saved to SMB (Server Message Block) network locations. When a victim saves a local recording to an SMB location and later opens it using a link from Zoom's web portal, an attacker positioned on an adjacent network can exploit this trust boundary flaw to execute arbitrary code on the victim's system.
Critical Impact
An attacker on an adjacent network can gain complete access to a user's device and data through remote code execution by setting up a malicious SMB server that responds to Zoom client requests with attacker-controlled executables.
Affected Products
- Zoom Rooms for Windows, macOS, Linux, iOS, and Android (versions prior to 5.13.5)
- Zoom Client for Windows, macOS, Linux, iOS, and Android (versions prior to 5.13.5)
- Zoom Virtual Desktop Infrastructure (VDI) (versions prior to 5.13.5)
Discovery Timeline
- 2023-03-27 - CVE-2023-28597 published to NVD
- 2025-02-19 - Last updated in NVD database
Technical Details for CVE-2023-28597
Vulnerability Analysis
This vulnerability stems from CWE-501: Trust Boundary Violation, where the Zoom client fails to properly validate the trust boundary between the application and external network resources. The flaw manifests when users interact with locally recorded content that has been saved to SMB file shares.
The attack scenario requires the attacker to be positioned on an adjacent network segment relative to the victim. This positioning allows the attacker to intercept or respond to SMB requests initiated by the Zoom client. The complexity of this attack is considered high due to the network positioning requirements and the specific user actions needed to trigger the vulnerability.
When exploited, this vulnerability provides full compromise of confidentiality, integrity, and availability on the target system, as the attacker can execute arbitrary code with the privileges of the Zoom application user.
Root Cause
The root cause of CVE-2023-28597 lies in improper trust boundary implementation within the Zoom client's handling of SMB-based recording locations. The application fails to adequately verify the authenticity and integrity of executables retrieved from SMB shares when processing recording links from Zoom's web portal. This trust boundary violation allows malicious content from untrusted network sources to be executed as if it were legitimate Zoom content.
Attack Vector
The attack requires an adjacent network position, meaning the attacker must be on the same local network segment as the victim or have the ability to intercept network traffic between the victim and legitimate SMB servers. The attack chain proceeds as follows:
- The victim saves a Zoom local recording to an SMB network share
- The attacker, positioned on an adjacent network, sets up a rogue SMB server
- When the victim later accesses the recording via a link from Zoom's web portal, the malicious SMB server responds to the client's request
- The Zoom client executes attacker-controlled content due to the improper trust boundary implementation
- The attacker achieves remote code execution on the victim's system
This attack requires no user interaction beyond the victim's normal workflow of accessing their saved recordings, and no privileges are required by the attacker to position their malicious SMB server.
Detection Methods for CVE-2023-28597
Indicators of Compromise
- Unusual SMB traffic patterns from Zoom client processes to unexpected or unknown SMB servers
- Zoom client processes spawning unexpected child processes or executing unsigned binaries
- Network connections from Zoom processes to non-corporate SMB servers
- Suspicious executable files appearing in SMB share locations containing Zoom recordings
Detection Strategies
- Monitor for Zoom client processes making SMB connections to servers outside the organization's trusted infrastructure
- Implement endpoint detection rules to alert on Zoom processes executing files from network shares with untrusted origins
- Deploy network-level monitoring to identify rogue SMB servers responding to client requests
- Create behavioral detection rules for process chains involving Zoom and unexpected executable launches
Monitoring Recommendations
- Enable detailed logging of SMB traffic at the network perimeter and internal network segments
- Configure endpoint detection and response (EDR) solutions to monitor Zoom client file operations and network activity
- Implement network segmentation monitoring to detect lateral movement or rogue server deployment
- Review Zoom client versions across the enterprise to identify unpatched installations
How to Mitigate CVE-2023-28597
Immediate Actions Required
- Upgrade all Zoom clients (Rooms, Desktop, VDI) to version 5.13.5 or later immediately
- Audit the organization for any instances of Zoom recordings stored on SMB shares
- Implement network segmentation to limit exposure to adjacent network attacks
- Consider temporarily disabling the ability to save recordings to network locations until patching is complete
Patch Information
Zoom has addressed this vulnerability in client version 5.13.5 and later releases. Organizations should update all Zoom products including Zoom Rooms, Zoom desktop clients, and Zoom VDI clients to the patched versions. The Zoom Security Bulletin provides official guidance and download links for the latest secure versions.
Enterprise administrators can deploy updates through Zoom's mass deployment packages or through their existing software distribution infrastructure.
Workarounds
- Restrict Zoom recording storage to local drives only, avoiding SMB network shares until patching is complete
- Implement strict SMB signing and authentication requirements to prevent rogue server connections
- Deploy network access controls to limit the ability of unauthorized devices to respond to SMB requests
- Block SMB traffic at network segment boundaries where feasible to reduce adjacent network attack surface
# Windows Group Policy - Enforce SMB Signing to mitigate rogue server attacks
# Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options
# Microsoft network client: Digitally sign communications (always) = Enabled
# PowerShell: Verify SMB signing is enforced
Get-SmbClientConfiguration | Select-Object RequireSecuritySignature
# Set SMB client to require signing
Set-SmbClientConfiguration -RequireSecuritySignature $true -Force
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
