CVE-2023-49647 Overview
CVE-2023-49647 is an improper access control vulnerability [CWE-266] affecting the Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom SDKs for Windows prior to version 5.16.10. An authenticated local user can leverage the flaw to escalate privileges on the host system. The issue is tracked under Zoom Security Bulletin ZSB-24001 and was published to the National Vulnerability Database (NVD) on January 12, 2024.
Exploitation requires local access and low privileges, with no user interaction. Successful exploitation results in high impact to confidentiality, integrity, and availability of the affected Windows host.
Critical Impact
An authenticated local attacker can elevate privileges on a Windows endpoint running a vulnerable Zoom client, gaining higher-level access to system resources and data.
Affected Products
- Zoom Desktop Client for Windows before version 5.16.10
- Zoom VDI Client for Windows before version 5.16.10
- Zoom Meeting SDK, Video SDK, and related Zoom SDKs for Windows before version 5.16.10
Discovery Timeline
- 2024-01-12 - CVE-2023-49647 published to NVD and disclosed in Zoom Security Bulletin ZSB-24001
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-49647
Vulnerability Analysis
The vulnerability stems from improper access control within Zoom client components installed on Windows endpoints. According to Zoom Security Bulletin ZSB-24001, an authenticated user with local access can abuse this weakness to perform privilege escalation. The flaw maps to [CWE-266] Incorrect Privilege Assignment, which occurs when a product assigns a privilege to an actor that exceeds what the actor should hold.
Because the Zoom client and SDK components run on Windows endpoints used across enterprise environments, the vulnerability creates a path for low-privileged users to elevate to higher-integrity contexts. The attack vector is restricted to local access, which limits remote exploitation but remains valuable to adversaries who have already established initial access through phishing, commodity malware, or stolen credentials.
Root Cause
The root cause is improper access control in Zoom client and SDK binaries for Windows before 5.16.10. Zoom has not publicly released technical details of the affected code paths. The CWE-266 classification indicates that a component grants privileges beyond what the calling user should possess, allowing a local authenticated user to perform actions reserved for higher-privileged accounts.
Attack Vector
An attacker must already have local, authenticated access to a Windows system that runs a vulnerable Zoom Desktop Client, VDI Client, or application built with an affected Zoom SDK. No user interaction is required to trigger the flaw. Once exploited, the attacker gains elevated privileges on the local host, which can be used to disable security tooling, install persistence, access credentials, or move laterally.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Technical exploitation details have not been published by the vendor.
Detection Methods for CVE-2023-49647
Indicators of Compromise
- Zoom client or SDK binaries with version strings below 5.16.10 present on Windows endpoints
- Unexpected child processes spawned by Zoom executables running at higher integrity levels than the invoking user
- Modification of files or registry keys under privileged paths immediately following Zoom client activity
Detection Strategies
- Inventory installed Zoom Desktop Client, VDI Client, and SDK-based applications across Windows estates and compare reported versions against the 5.16.10 baseline.
- Monitor process lineage for Zoom client executables that launch privileged child processes or invoke administrative utilities such as cmd.exe, powershell.exe, or sc.exe.
- Correlate local logon events with Zoom client activity to identify standard users executing actions that require elevation.
Monitoring Recommendations
- Enable Windows process creation auditing (Event ID 4688) with command-line logging on endpoints that run Zoom.
- Forward endpoint telemetry, including process, file, and registry events, to a centralized analytics platform for correlation.
- Track Zoom installer and updater activity to confirm that endpoints transition to patched versions across managed and BYOD fleets.
How to Mitigate CVE-2023-49647
Immediate Actions Required
- Upgrade Zoom Desktop Client for Windows and Zoom VDI Client for Windows to version 5.16.10 or later on all managed endpoints.
- Rebuild and redistribute any in-house applications that depend on Zoom Meeting SDK or Video SDK for Windows using SDK version 5.16.10 or later.
- Restrict local logon rights on shared Windows hosts to reduce the population of users able to trigger the flaw.
Patch Information
Zoom addressed the vulnerability in version 5.16.10 of the affected Windows clients and SDKs. Detailed remediation guidance is available in the Zoom Security Bulletin ZSB-24001. Administrators should validate patch deployment via software inventory or endpoint management tooling and confirm that older Zoom installations have been removed.
Workarounds
- No vendor-supplied workaround is documented; patching to 5.16.10 or later is the recommended remediation path.
- Where immediate patching is not feasible, enforce least privilege on affected endpoints and limit interactive logons to trusted administrators.
- Apply application allowlisting to restrict execution of Zoom binaries to approved, current versions only.
# Example: query installed Zoom version on a Windows host (PowerShell)
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" |
Where-Object { $_.DisplayName -like "Zoom*" } |
Select-Object DisplayName, DisplayVersion, Publisher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
