CVE-2025-0145

Medium

Published: 30 January 2025

Published

30 January 2025

Modified

20 August 2025

KEV Added

—

Patch

—

CVSS Score 4.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L

EPSS Score 0.0009 25.0th percentile

Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Description

Untrusted search path in the installer for some Zoom Workplace Apps for Windows may allow an authorized user to conduct an escalation of privilege via local access.

Security Summary

CVE-2025-0145 is an untrusted search path vulnerability (CWE-426) affecting the installer for some Zoom Workplace Apps for Windows. Published on 2025-01-30, it carries a CVSS v3.1 base score of 4.6 (AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:L). The issue enables an authorized user with local access to potentially escalate privileges by exploiting the untrusted search path during installer execution.

Exploitation requires local access, low privileges, low attack complexity, and user interaction. A malicious actor meeting these conditions could leverage the vulnerability to achieve privilege escalation, resulting in low impacts to integrity and availability within a changed scope, but no confidentiality impact.

Zoom's security bulletin ZSB-25004 at https://www.zoom.com/en/trust/security-bulletin/zsb-25004/ provides further details on mitigation and patches.

Details

CWE(s): CWE-426

Affected Products

zoom

meeting software development kit

≤ 6.2.5

zoom

rooms

≤ 6.2.5

zoom

rooms controller

≤ 6.2.5

zoom

video software development kit

≤ 6.2.5

zoom

workplace desktop

≤ 6.2.5

zoom

workplace virtual desktop infrastructure

≤ 6.0.15 · 6.0.16 — 6.1.13

References

https://www.zoom.com/en/trust/security-bulletin/zsb-25004/
Vendor Advisory · security@zoom.us