CVE-2025-0149 Overview
CVE-2025-0149 is a high-severity denial of service vulnerability affecting multiple Zoom Workplace applications. The flaw stems from insufficient verification of data authenticity [CWE-345] in Zoom Workplace Apps. An unprivileged remote attacker can exploit the weakness over the network without user interaction to disrupt service availability. The vulnerability impacts Zoom Workplace desktop and mobile clients, Zoom Rooms, Zoom Rooms Controller, the Meeting Software Development Kit (SDK), and Workplace Virtual Desktop Infrastructure (VDI) builds. Zoom published advisory ZSB-25008 documenting the issue and corresponding fixed versions.
Critical Impact
Remote attackers can trigger denial of service conditions in Zoom Workplace clients across Windows, macOS, Linux, Android, iOS, and iPadOS without authentication, disrupting business communications and meeting infrastructure.
Affected Products
- Zoom Workplace and Zoom Workplace Desktop (Windows, macOS, Linux, Android, iOS)
- Zoom Rooms and Zoom Rooms Controller (Windows, macOS, Linux, Android, iPadOS)
- Zoom Meeting SDK and Zoom Workplace VDI (Windows)
Discovery Timeline
- 2025-03-11 - CVE-2025-0149 published to the National Vulnerability Database (NVD)
- 2025-08-19 - Last updated in NVD database
Technical Details for CVE-2025-0149
Vulnerability Analysis
The vulnerability is classified under CWE-345: Insufficient Verification of Data Authenticity. Zoom Workplace Apps fail to adequately validate the authenticity of data received over the network. An attacker can craft and deliver malformed or unauthenticated data to a target client. The client processes this data without confirming its origin or integrity, leading to an availability failure. The result is a denial of service condition affecting the targeted Zoom application instance.
Root Cause
The root cause is missing or weak authenticity checks on inbound network data within the Zoom client codebase. When data fails proper authentication validation, downstream processing logic mishandles it. This mishandling exhausts resources, crashes the client, or otherwise renders the application unusable. The flaw is shared across multiple Zoom product lines because they reuse the same underlying client components and SDK.
Attack Vector
Exploitation occurs over the network with low attack complexity and no required privileges or user interaction. An attacker reachable over the network sends specially crafted traffic to a vulnerable Zoom Workplace client or Rooms endpoint. The attack does not require an authenticated Zoom account session with the victim. Successful exploitation impacts availability only — confidentiality and integrity remain intact based on the published CVSS vector.
No public proof-of-concept exploit code is available. Refer to the Zoom Security Bulletin ZSB-25008 for vendor technical details and fixed version information.
Detection Methods for CVE-2025-0149
Indicators of Compromise
- Unexpected crashes, hangs, or restarts of Zoom Workplace, Zoom Rooms, or Zoom Rooms Controller processes across multiple endpoints
- Repeated client disconnections from Zoom services without corresponding network outages
- Anomalous inbound network traffic to Zoom client ports from untrusted sources
Detection Strategies
- Inventory all Zoom Workplace, Zoom Rooms, Zoom Rooms Controller, Meeting SDK, and VDI deployments and compare installed versions against the fixed builds listed in ZSB-25008
- Monitor endpoint telemetry for repeated Zoom.exe, zoom, or related process termination and restart events
- Correlate Zoom client crash events with concurrent inbound network flows to identify potential exploitation patterns
Monitoring Recommendations
- Enable application crash reporting and forward Zoom client logs to a centralized log analytics or SIEM platform
- Alert on spikes in Zoom client crash rates across the fleet, which may indicate active exploitation attempts
- Track network traffic baselines to Zoom endpoints and investigate deviations from expected peer or signaling traffic
How to Mitigate CVE-2025-0149
Immediate Actions Required
- Update all Zoom Workplace Apps, Zoom Rooms, Zoom Rooms Controller, Meeting SDK, and Workplace VDI installations to the fixed versions listed in Zoom Security Bulletin ZSB-25008
- Prioritize patching of Zoom Rooms appliances and conference room endpoints, which are typically always-on and network-exposed
- Audit third-party applications built on the Zoom Meeting SDK and update embedded SDK versions accordingly
Patch Information
Zoom has released fixed versions for all affected products. Administrators should consult Zoom Security Bulletin ZSB-25008 for the complete list of fixed builds across Windows, macOS, Linux, Android, iOS, and iPadOS platforms. Enterprise deployments should use Zoom's mass deployment tooling or mobile device management (MDM) to push updates.
Workarounds
- No vendor-supplied workaround is documented; patching is the supported remediation path
- Restrict inbound network exposure of Zoom Rooms and Rooms Controller systems through network segmentation and firewall rules until patches are applied
- Disable automatic answer features on Zoom Rooms endpoints to reduce the attack surface during the patch window
# Example: enforce minimum Zoom client version via MDM/GPO configuration
# Refer to ZSB-25008 for current fixed build numbers per platform
MinimumClientVersion=<fixed-version-from-ZSB-25008>
AutoUpdate=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
