CVE-2025-49460 Overview
CVE-2025-49460 is an uncontrolled resource consumption vulnerability [CWE-400] affecting multiple Zoom Workplace Clients. An unauthenticated remote attacker can trigger denial of service conditions through network access. The flaw does not require user interaction or prior authentication, lowering the barrier for exploitation.
The vulnerability affects Zoom Workplace Desktop, Zoom Rooms, Zoom Rooms Controller, Zoom Meeting SDK, and Zoom Workplace VDI across Windows, macOS, Linux, Android, iOS, and iPadOS. Zoom published security bulletin ZSB-25033 addressing the issue.
Critical Impact
An unauthenticated network-based attacker can exhaust client resources and disrupt Zoom Workplace availability across enterprise endpoints, impacting meetings and collaboration workflows.
Affected Products
- Zoom Workplace Desktop (Windows, macOS, Linux) and Zoom Workplace for iPhone
- Zoom Rooms and Zoom Rooms Controller (Windows, macOS, Android, Linux, iPadOS)
- Zoom Meeting SDK and Zoom Workplace VDI for Windows
Discovery Timeline
- 2025-09-09 - CVE-2025-49460 published to NVD
- 2025-10-17 - Last updated in NVD database
Technical Details for CVE-2025-49460
Vulnerability Analysis
The vulnerability is classified as Uncontrolled Resource Consumption [CWE-400]. Zoom Workplace Clients fail to bound resources allocated when processing certain network input. An attacker sending crafted traffic can force the client into excessive consumption of memory, CPU, or other finite resources.
The result is a denial of service condition that affects availability of the Zoom client. Confidentiality and integrity are not impacted, but the application can become unresponsive or crash. Because the vulnerability is exploitable over the network without authentication or user interaction, attackers can target exposed clients directly.
The broad product footprint amplifies operational risk. Conference room appliances running Zoom Rooms, virtual desktop deployments using Zoom VDI, and embedded SDK integrations are all in scope.
Root Cause
The root cause lies in the absence of bounds or rate controls on resource allocation when the client parses or services network-delivered data. Without explicit limits on buffers, queues, or processing loops, an attacker-controlled input stream forces unbounded growth in resource usage until the client degrades or fails.
Attack Vector
Exploitation occurs over the network with low attack complexity. The attacker requires no privileges and no victim interaction. A remote actor sends specially crafted traffic to a reachable Zoom Workplace Client and triggers the resource exhaustion path, producing a denial of service against the application instance.
No public proof-of-concept exploit, ExploitDB entry, or CISA KEV listing exists for this issue at the time of writing. Technical specifics are documented in the Zoom Security Bulletin ZSB-25033.
Detection Methods for CVE-2025-49460
Indicators of Compromise
- Repeated unexpected crashes, freezes, or restart events of Zoom Workplace, Zoom Rooms, or Zoom VDI clients across endpoints
- Sustained high CPU or memory consumption attributable to Zoom.exe, zoom, or related Zoom processes
- Unusual inbound or peer-to-peer traffic patterns toward Zoom client listening ports preceding application failure
Detection Strategies
- Monitor endpoint telemetry for abnormal Zoom client process termination and rapid memory growth
- Correlate network flow data with Zoom client crash events to identify potential remote DoS attempts
- Inventory Zoom client versions across the fleet and flag hosts running versions below those listed as fixed in ZSB-25033
Monitoring Recommendations
- Establish baseline resource usage profiles for Zoom processes and alert on sustained deviation
- Track repeated Zoom client crash reports in Windows Event Logs and macOS unified logs
- Review perimeter and internal network telemetry for unsolicited traffic targeting endpoints running Zoom
How to Mitigate CVE-2025-49460
Immediate Actions Required
- Update all Zoom Workplace, Zoom Rooms, Zoom Rooms Controller, Zoom Meeting SDK, and Zoom VDI installations to the fixed versions listed in ZSB-25033
- Prioritize patching for shared meeting room devices and VDI gold images that propagate to many users
- Audit third-party applications embedding the Zoom Meeting SDK and update the SDK component
Patch Information
Zoom has released fixed builds addressing CVE-2025-49460. Refer to the Zoom Security Bulletin ZSB-25033 for the specific patched version numbers per product and platform. Deploy updates through enterprise software management tooling and confirm version compliance on each endpoint.
Workarounds
- No vendor-supplied workaround is documented; patching is the required remediation
- Restrict network exposure of Zoom Rooms and VDI hosts to trusted segments where feasible
- Limit direct network reachability to Zoom clients from untrusted networks using host-based firewall rules
# Configuration example: identify Zoom client versions on Windows endpoints
Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*Zoom*" } | Select-Object Name, Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
