CVE-2025-64739 Overview
CVE-2025-64739 is a high-severity vulnerability affecting multiple Zoom client applications across various platforms. The vulnerability stems from external control of file name or path (CWE-73), which may allow an unauthenticated user to conduct information disclosure via network access. This vulnerability class enables attackers to manipulate file path references, potentially gaining unauthorized access to sensitive files on affected systems.
Critical Impact
Unauthenticated attackers can exploit this vulnerability over the network to access and disclose sensitive information from affected Zoom clients without requiring user interaction.
Affected Products
- Zoom Meeting Software Development Kit (Linux, macOS, Windows)
- Zoom Rooms (iOS, macOS, Windows)
- Zoom Rooms Controller (Linux, macOS, Windows)
- Zoom Workplace Desktop (Linux, macOS, Windows)
- Zoom Workplace Virtual Desktop Infrastructure (Windows)
Discovery Timeline
- 2025-11-13 - CVE-2025-64739 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2025-64739
Vulnerability Analysis
This vulnerability falls under CWE-73 (External Control of File Name or Path), which occurs when software uses external input to construct a pathname that should be within a restricted directory, but fails to properly neutralize path elements. In the context of Zoom clients, the vulnerability allows an unauthenticated attacker to manipulate file path inputs, potentially traversing beyond intended directories to access sensitive files.
The attack can be conducted entirely over the network without requiring authentication or user interaction. The impact is focused on confidentiality, with the potential for high-severity information disclosure. No integrity or availability impact has been identified for this vulnerability.
Root Cause
The root cause of CVE-2025-64739 lies in insufficient validation and sanitization of user-controlled file path inputs within certain Zoom client applications. When external input is used to construct file paths without proper neutralization of special elements (such as ../ sequences or absolute path indicators), attackers can specify paths outside the intended directory structure.
Attack Vector
The attack vector for this vulnerability is network-based, requiring no prior authentication or privileges. An attacker can remotely exploit this vulnerability by sending crafted requests to affected Zoom clients that contain manipulated file path parameters.
The vulnerability allows path traversal through insufficient input validation, enabling an attacker to reference files outside the intended directory scope. For example, an attacker could potentially craft requests that traverse the directory structure to access configuration files, logs, or other sensitive data stored on the system running the vulnerable Zoom client.
Technical details regarding specific exploitation methods can be found in the Zoom Security Bulletin ZSB-25041.
Detection Methods for CVE-2025-64739
Indicators of Compromise
- Unexpected file access attempts in Zoom client logs targeting files outside normal application directories
- Network traffic containing path traversal sequences (../, ..\\, or absolute paths) directed at Zoom client endpoints
- Unusual file read operations from Zoom processes accessing sensitive system directories
- Anomalous outbound data transfers following Zoom client network activity
Detection Strategies
- Monitor Zoom client processes for file access operations outside expected directories using endpoint detection and response (EDR) solutions
- Implement network-level inspection for path traversal patterns in traffic destined for Zoom clients
- Configure SIEM rules to alert on file access events from Zoom processes targeting sensitive file locations
- Enable verbose logging on Zoom clients and analyze for suspicious path references
Monitoring Recommendations
- Establish baseline file access patterns for Zoom client applications and alert on deviations
- Deploy SentinelOne agents on endpoints running affected Zoom products for real-time behavioral analysis
- Monitor for unusual data exfiltration patterns following Zoom client activity
- Review Zoom client configurations and enabled features that may expand attack surface
How to Mitigate CVE-2025-64739
Immediate Actions Required
- Update all affected Zoom products to the latest patched versions immediately
- Audit systems running vulnerable Zoom client versions across the organization
- Enable additional monitoring on endpoints running affected Zoom software until patches are applied
- Review and restrict network access to Zoom clients where feasible
Patch Information
Zoom has released security patches addressing this vulnerability. Organizations should consult the Zoom Security Bulletin ZSB-25041 for specific version information and download links for patched releases. The bulletin provides detailed guidance on affected version ranges and the minimum safe versions for each platform and product.
Workarounds
- Implement network segmentation to limit exposure of Zoom clients to untrusted networks
- Apply host-based firewall rules to restrict incoming connections to Zoom clients
- Disable unnecessary Zoom client features that may increase attack surface until patches are applied
- Use application control policies to limit Zoom client file system access to required directories only
# Example: Restrict Zoom directory access on Linux systems
# Create a confined directory for Zoom data access
mkdir -p /opt/zoom/data
chmod 700 /opt/zoom/data
# Configure firewall rules to limit Zoom network exposure
iptables -A INPUT -p tcp --dport 8801:8802 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8801:8802 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
