CVE-2024-45424

Medium

Published: 25 February 2025

Published

25 February 2025

Modified

05 March 2025

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0033 56.1th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Description

Business logic error in some Zoom Workplace Apps may allow an unauthenticated user to conduct a disclosure of information via network access.

Security Summary

CVE-2024-45424 is a business logic error, mapped to CWE-840, affecting some Zoom Workplace Apps. Published on 2025-02-25, the vulnerability enables an unauthenticated user to conduct a disclosure of information via network access. It carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact and no impact on integrity or availability.

An unauthenticated attacker with network access to a vulnerable Zoom Workplace App can exploit this issue with low complexity and no requirement for user interaction or privileges. Exploitation leads to partial disclosure of sensitive information, as the scope remains unchanged.

Zoom has issued security bulletin ZSB-24036, available at https://www.zoom.com/en/trust/security-bulletin/zsb-24036/, which provides further details on the vulnerability. Security practitioners should consult this advisory for recommended mitigations and patching guidance.

Details

CWE(s): CWE-840NVD-CWE-noinfo

Affected Products

zoom

meeting software development kit

≤ 6.1.0 · ≤ 6.1.0 · ≤ 6.1.0

zoom

rooms

≤ 6.1.0 · ≤ 6.1.0 · ≤ 6.1.0

zoom

rooms controller

≤ 6.1.0 · ≤ 6.1.0 · ≤ 6.1.0

zoom

workplace

≤ 6.1.0 · ≤ 6.1.0

zoom

workplace desktop

≤ 6.1.0 · ≤ 6.1.0 · ≤ 6.1.0

zoom

workplace virtual desktop infrastructure

≤ 6.1.10

References

https://www.zoom.com/en/trust/security-bulletin/zsb-24036/
Vendor Advisory · security@zoom.us