CVE-2025-0145 Overview
CVE-2025-0145 is an untrusted search path vulnerability affecting the installer for multiple Zoom Workplace Apps for Windows. This vulnerability allows an authorized user with local access to conduct privilege escalation attacks by exploiting how the installer searches for and loads executable components during the installation process.
The flaw stems from CWE-426 (Untrusted Search Path), where the installer improperly handles the search path for required libraries or executables, potentially allowing a malicious actor to place crafted files in locations that get loaded before legitimate components.
Critical Impact
Local privilege escalation vulnerability in widely deployed Zoom collaboration software could allow attackers with existing local access to elevate their privileges to higher levels, potentially compromising the entire system.
Affected Products
- Zoom Meeting Software Development Kit for Windows
- Zoom Rooms for Windows
- Zoom Rooms Controller for Windows
- Zoom Video Software Development Kit for Windows
- Zoom Workplace Desktop for Windows
- Zoom Workplace Virtual Desktop Infrastructure for Windows
Discovery Timeline
- 2025-01-30 - CVE-2025-0145 published to NVD
- 2025-08-20 - Last updated in NVD database
Technical Details for CVE-2025-0145
Vulnerability Analysis
This untrusted search path vulnerability exists within the installer components for various Zoom Workplace applications running on Windows systems. The installer fails to properly constrain the search locations when loading required dynamic link libraries (DLLs) or executable files during the installation process.
When Windows applications attempt to load DLLs, they follow a specific search order that includes the current working directory and directories in the system PATH environment variable. If an attacker can place a malicious DLL in a location that gets searched before the legitimate system directories, the installer will load the attacker's code instead.
This type of vulnerability is particularly dangerous during installation because installers typically run with elevated privileges. An attacker who has already gained local access to a system can exploit this vulnerability to escalate from a standard user account to administrator or SYSTEM-level privileges.
Root Cause
The root cause is classified under CWE-426 (Untrusted Search Path). The Zoom installer does not implement proper safeguards to ensure that only trusted, expected libraries from known secure locations are loaded during installation. This allows untrusted directories to be searched for required components, creating an avenue for DLL hijacking attacks.
The vulnerability arises because:
- The installer searches for dependencies in directories that may be writable by unprivileged users
- The search path order allows attacker-controlled locations to take precedence over system directories
- Insufficient validation of loaded library paths before execution
Attack Vector
The attack requires local access to the target system. An attacker must be able to write files to directories that are searched by the installer before the legitimate library locations. The attack scenario typically involves:
- The attacker identifies directories in the installer's search path that are writable with their current privileges
- A malicious DLL is crafted with the same name as a legitimate dependency
- The malicious DLL is placed in a directory that will be searched before the legitimate location
- When a user or administrator runs the Zoom installer, the malicious DLL is loaded instead of the legitimate one
- The attacker's code executes with the privileges of the installer process, typically SYSTEM or Administrator
Since no verified proof-of-concept code is available for this vulnerability, the specific exploitation mechanics involve crafting a malicious DLL that matches the expected export functions of the hijacked library while containing payload code to execute upon loading. For detailed technical information, refer to the Zoom Security Bulletin ZSB-25004.
Detection Methods for CVE-2025-0145
Indicators of Compromise
- Unexpected DLL files appearing in user-writable directories commonly searched by installers (e.g., %TEMP%, current working directory, user profile directories)
- DLL files with names matching common Zoom dependencies located outside of legitimate Zoom installation directories
- Process execution events showing the Zoom installer loading libraries from unusual paths
- New or modified files in directories along the system PATH that match Zoom installer dependencies
Detection Strategies
- Monitor file system activity for DLL files created in user-writable directories immediately before Zoom installer execution
- Implement application whitelisting to prevent unauthorized DLLs from being loaded during installation processes
- Use endpoint detection and response (EDR) solutions to track DLL loading events and flag libraries loaded from non-standard paths
- Audit file permissions on directories in the system PATH to identify overly permissive configurations
Monitoring Recommendations
- Enable Windows Security Event logging for process creation (Event ID 4688) and DLL loading events
- Configure SentinelOne to monitor for privilege escalation patterns associated with installer hijacking
- Implement alerts for new executable files created in user-writable directories that match known library naming patterns
- Review system PATH configurations to ensure no user-writable directories are included before system directories
How to Mitigate CVE-2025-0145
Immediate Actions Required
- Update all affected Zoom Workplace applications to the latest patched versions immediately
- Remove any Zoom installers from user-accessible locations and download fresh copies from official Zoom sources
- Audit systems for unexpected DLL files in directories commonly used for DLL hijacking attacks
- Restrict user write permissions to directories in the system PATH environment variable
Patch Information
Zoom has released security updates to address this vulnerability. Organizations should update to the latest versions of all affected Zoom products. Detailed patch information and fixed versions are available in the Zoom Security Bulletin ZSB-25004.
Ensure automatic updates are enabled for Zoom applications where possible, or implement a managed deployment strategy to push updated versions to enterprise environments.
Workarounds
- Run the Zoom installer from a clean, isolated directory with restricted write permissions to prevent DLL hijacking
- Execute installations only from administrator accounts in clean session environments without user-writeable directories in PATH
- Use application control solutions to restrict which DLLs can be loaded by installer processes
- Temporarily remove user-writable directories from the system PATH during Zoom installations
# Verify Zoom installation integrity and check for suspicious DLLs
# PowerShell script to audit DLL files in common hijacking locations
# Check for unexpected DLLs in user temp directory
Get-ChildItem -Path $env:TEMP -Filter "*.dll" -Recurse | Select-Object FullName, CreationTime, LastWriteTime
# Verify Zoom installation directory permissions
icacls "C:\Program Files\Zoom" /verify
# Check system PATH for user-writable directories
$env:PATH -split ';' | ForEach-Object {
if (Test-Path $_) {
$acl = Get-Acl $_
Write-Output "Path: $_ - Owner: $($acl.Owner)"
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
