CVE-2025-0149 Overview
CVE-2025-0149 is a high-severity vulnerability in multiple Zoom Workplace Apps caused by insufficient verification of data authenticity [CWE-345]. An unprivileged remote attacker can leverage the flaw to trigger a denial of service condition over the network without authentication or user interaction. Zoom disclosed the issue in security bulletin ZSB-25008, covering Zoom Workplace, Zoom Rooms, Zoom Rooms Controller, the Meeting SDK, and Zoom VDI clients across desktop and mobile platforms. The vulnerability affects availability only and does not compromise confidentiality or integrity.
Critical Impact
A remote, unauthenticated attacker can disrupt Zoom Workplace client availability across desktop, mobile, and VDI deployments through crafted network traffic.
Affected Products
- Zoom Workplace and Zoom Workplace Desktop (Windows, macOS, Linux, Android, iOS)
- Zoom Rooms and Zoom Rooms Controller (Windows, macOS, Linux, Android, iPadOS)
- Zoom Meeting SDK and Zoom Workplace VDI for Windows
Discovery Timeline
- 2025-03-11 - CVE-2025-0149 published to NVD
- 2025-08-19 - Last updated in NVD database
Technical Details for CVE-2025-0149
Vulnerability Analysis
The flaw resides in how affected Zoom Workplace Apps validate the authenticity of incoming data. The clients accept network input without sufficiently verifying that the data originated from a legitimate, trusted source. An attacker can craft and deliver malformed or spoofed messages that the client processes, leading to a crash or unresponsive state.
Because the attack vector is network-based and requires no privileges or user interaction, exposed Zoom clients can be disrupted remotely. Successful exploitation results in a high availability impact while leaving confidentiality and integrity unaffected. The issue affects the entire Zoom Workplace product family, expanding the attack surface across desktop, mobile, and VDI form factors.
Root Cause
The root cause is improper verification of data authenticity, classified under [CWE-345]. Affected Zoom client components trust incoming data inputs without enforcing source validation or integrity checks. This trust gap allows untrusted inputs to reach parsing or processing logic that assumes authenticated input, producing a fault that terminates or hangs the client process.
Attack Vector
Exploitation requires only network access to the target Zoom client. An attacker sends crafted traffic to the vulnerable component, bypassing authenticity checks that should reject unverified data. No credentials, prior access, or user interaction is required. The vulnerability impacts availability only, meaning the attacker cannot read user data or alter meeting content, but can repeatedly crash or stall the Zoom client to deny service.
No public proof-of-concept exploit code is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Zoom Security Bulletin ZSB-25008 for vendor technical details.
Detection Methods for CVE-2025-0149
Indicators of Compromise
- Unexpected crashes, hangs, or restarts of Zoom Workplace, Zoom Rooms, or Zoom Meeting SDK processes across multiple endpoints within a short window
- Repeated client disconnects or failed meeting joins coinciding with inbound traffic from untrusted sources
- Crash dump or Windows Error Reporting entries referencing Zoom client binaries on affected versions
Detection Strategies
- Inventory Zoom Workplace, Zoom Rooms, Rooms Controller, Meeting SDK, and VDI client versions and compare against the fixed builds listed in ZSB-25008
- Correlate endpoint process termination events for Zoom binaries with network connections to non-corporate destinations
- Monitor help-desk and meeting-quality telemetry for clusters of users reporting simultaneous Zoom client failures
Monitoring Recommendations
- Alert on abnormal volumes of Zoom client crash events through EDR or operating system telemetry
- Track outbound and inbound network flows associated with Zoom client processes for anomalous peers or traffic patterns
- Review Zoom admin portal logs for irregular session terminations affecting Zoom Rooms and shared meeting endpoints
How to Mitigate CVE-2025-0149
Immediate Actions Required
- Update all Zoom Workplace Apps, Zoom Rooms, Zoom Rooms Controller, Zoom Meeting SDK, and Zoom VDI clients to the fixed versions identified in Zoom bulletin ZSB-25008
- Prioritize patching of shared and always-on assets such as Zoom Rooms appliances and conference-room controllers
- Audit endpoint fleets to confirm no legacy Zoom clients remain installed after the rollout
Patch Information
Zoom has released fixed versions for all impacted clients. Refer to the Zoom Security Bulletin ZSB-25008 for the authoritative list of fixed versions per product and platform. Administrators should enforce automatic updates where supported and validate client versions through device management tooling.
Workarounds
- No vendor-provided workaround is documented; updating to the patched client is the supported remediation
- Restrict network exposure of Zoom Rooms and SDK-based applications to trusted networks where feasible until patching is complete
- Use endpoint management policies to block execution of outdated Zoom client binaries on managed devices
# Example: query installed Zoom client version on Windows endpoints
Get-ItemProperty 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*' |
Where-Object { $_.DisplayName -like 'Zoom*' } |
Select-Object DisplayName, DisplayVersion, InstallDate
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
