CVE-2025-0146 Overview
A symlink following vulnerability has been identified in the installer for Zoom Workplace App for macOS before version 6.2.10. This vulnerability may allow an authenticated user to conduct a denial of service attack via local access. The flaw exists in how the installer handles symbolic links during the installation process, potentially allowing malicious actors to manipulate file system operations.
Critical Impact
Local authenticated attackers can exploit symlink following in the Zoom installer to cause denial of service conditions on macOS systems, potentially disrupting business communications and collaboration tools.
Affected Products
- Zoom Workplace Desktop for macOS (before version 6.2.10)
- Zoom Meeting Software Development Kit for macOS
- Zoom Rooms for macOS
- Zoom Rooms Controller for macOS
- Zoom Video Software Development Kit for macOS
Discovery Timeline
- 2025-01-30 - CVE-2025-0146 published to NVD
- 2025-08-01 - Last updated in NVD database
Technical Details for CVE-2025-0146
Vulnerability Analysis
This vulnerability is classified as CWE-59 (Improper Link Resolution Before File Access), commonly known as a symlink following or symlink attack vulnerability. The flaw occurs when the Zoom installer for macOS improperly resolves symbolic links before performing file operations during the installation process.
When the installer writes files or modifies system resources, it fails to properly validate whether the target paths are legitimate files or symbolic links pointing to other locations. An authenticated local user can exploit this by creating carefully crafted symbolic links in locations accessed by the installer, causing the installer to write to or modify unintended files or directories.
The attack requires local access to the target system and an authenticated user session. When exploited, the vulnerability results in a denial of service condition, impacting the availability of the Zoom application or potentially other system resources. While the attack does not compromise confidentiality or integrity, it can significantly disrupt business operations reliant on Zoom for communication.
Root Cause
The root cause of this vulnerability lies in inadequate validation of file paths during the installation process. The Zoom installer fails to perform proper canonicalization of file paths and does not check whether target files are symbolic links before performing write operations. This allows an attacker to redirect installer operations to arbitrary file system locations through strategically placed symlinks.
Attack Vector
The attack vector requires local access with authenticated user privileges. An attacker would need to:
- Identify directories or files accessed by the Zoom installer during the installation process
- Create symbolic links in accessible locations pointing to critical system files or directories
- Trigger the installation process (either through a new installation or update)
- The installer follows the malicious symlinks, potentially overwriting or corrupting targeted files
The attack targets the installation workflow and requires user interaction to initiate the vulnerable installation process. Due to the local access requirement, the attack surface is limited to users who already have authenticated access to the target macOS system.
Detection Methods for CVE-2025-0146
Indicators of Compromise
- Unusual symbolic links created in Zoom installation directories or temporary folders
- Unexpected file modifications in system directories during Zoom installation events
- Failed or corrupted Zoom installations with associated file system errors
- Suspicious activity in macOS installation logs related to Zoom components
Detection Strategies
- Monitor file system activity during Zoom installer execution for symlink creation or manipulation
- Implement endpoint detection rules to flag symbolic link operations targeting Zoom installation paths
- Review macOS system logs for failed file operations or permission errors during Zoom updates
- Deploy SentinelOne endpoint protection to detect anomalous file system behavior during software installations
Monitoring Recommendations
- Enable file integrity monitoring on directories commonly used by Zoom installers
- Configure alerts for symbolic link creation in /Applications/, temporary directories, and user Library folders
- Monitor for multiple failed installation attempts which may indicate exploitation attempts
- Review endpoint telemetry for unusual process behavior during Zoom update operations
How to Mitigate CVE-2025-0146
Immediate Actions Required
- Update Zoom Workplace Desktop for macOS to version 6.2.10 or later immediately
- Update all affected Zoom SDKs and Rooms components to their latest patched versions
- Audit systems for any suspicious symbolic links in Zoom-related directories
- Restrict installation privileges to trusted administrators where possible
Patch Information
Zoom has released security updates addressing this vulnerability. Organizations should update to the following minimum versions:
- Zoom Workplace Desktop for macOS: Version 6.2.10 or later
- Zoom Meeting SDK for macOS: Latest available version
- Zoom Rooms for macOS: Latest available version
- Zoom Rooms Controller for macOS: Latest available version
- Zoom Video SDK for macOS: Latest available version
For detailed patch information and download links, refer to the Zoom Security Bulletin ZSB-25005.
Workarounds
- Temporarily disable automatic updates and manually verify installer integrity before installation
- Restrict user permissions to create symbolic links in directories accessed by the Zoom installer
- Run Zoom installations in controlled environments with limited file system access
- Monitor and audit file system operations during installation processes until patches are applied
# Check current Zoom version on macOS
/Applications/zoom.us.app/Contents/MacOS/zoom.us --version
# Verify no suspicious symlinks exist in Zoom directories
find /Applications/zoom.us.app -type l -ls
find ~/Library/Application\ Support/zoom.us -type l -ls
# List recent symlink creations (requires appropriate logging enabled)
log show --predicate 'eventMessage contains "symlink"' --last 24h
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
