CVE-2024-45418

Medium

Published: 25 February 2025

Published

25 February 2025

Modified

04 March 2025

KEV Added

—

Patch

—

CVSS Score 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS Score 0.0034 56.3th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Description

Symlink following in the installer for some Zoom apps for macOS before version 6.1.5 may allow an authenticated user to conduct an escalation of privilege via network access.

Security Summary

CVE-2024-45418 involves symlink following in the installer for some Zoom apps on macOS versions before 6.1.5. This vulnerability, tied to CWE-61 (Symbolic Link Following) and CWE-59 (Improper Link Resolution Before File Access), carries a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) and was published on 2025-02-25.

An authenticated user with network access can exploit the issue during the installation process, requiring low attack complexity, user interaction, and low privileges. Successful exploitation enables escalation of privilege, with changed scope leading to limited impacts on confidentiality and integrity but no availability disruption.

Zoom's security bulletin at https://www.zoom.com/en/trust/security-bulletin/zsb-24040/ addresses the vulnerability, recommending an update to version 6.1.5 or later as the primary mitigation.

Details

CWE(s): CWE-61CWE-59

Affected Products

zoom

meeting software development kit

≤ 6.1.5

zoom

rooms

≤ 6.1.5

zoom

video software development kit

≤ 6.1.5

zoom

workplace desktop

≤ 6.1.5

References

https://www.zoom.com/en/trust/security-bulletin/zsb-24040/
Vendor Advisory · security@zoom.us