Cyber Posture

CVE-2025-0149

Medium

Published: 11 March 2025

Published
11 March 2025
Modified
19 August 2025
KEV Added
Patch
CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
EPSS Score 0.0003 8.8th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

Security Summary

CVE-2025-0149 involves insufficient verification of data authenticity, classified under CWE-345, affecting some Zoom Workplace Apps. Published on 2025-03-11T17:16:17.523, the vulnerability has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L), rated as Medium severity.

An unprivileged user with network access can exploit this vulnerability to conduct a denial of service. The attack requires low complexity, no privileges or user interaction, and results in low impacts to integrity and availability with an unchanged scope.

The Zoom security bulletin at https://www.zoom.com/en/trust/security-bulletin/zsb-25008/ provides details on advisories and patches for mitigation.

Details

CWE(s)
CWE-345

Affected Products

zoom
meeting software development kit
≤ 6.3.0 · ≤ 6.3.0 · ≤ 6.3.0
zoom
rooms
≤ 6.3.0 · ≤ 6.3.0 · ≤ 6.3.0
zoom
rooms controller
≤ 6.3.0 · ≤ 6.3.0 · ≤ 6.3.0
zoom
workplace
≤ 6.3.0 · ≤ 6.3.0
zoom
workplace desktop
≤ 6.3.0 · ≤ 6.3.0 · ≤ 6.3.0
zoom
workplace virtual desktop infrastructure
≤ 6.1.15 · 6.1.16 — 6.2.10

MITRE ATT&CK Enterprise Techniques

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Vulnerability enables remote, unauthenticated exploitation of Zoom apps via insufficient data authenticity verification to cause denial of service, directly mapping to application/system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References