CVE-2025-0150
Published: 11 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-0150 involves incorrect behavior order, classified under CWE-696, affecting Zoom Workplace Apps for iOS in versions before 6.3.0. This flaw enables an authenticated user to trigger a denial-of-service condition through network access. The vulnerability carries a CVSS v3.1 base score of 7.1, reflecting network attack vector (AV:N), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), low confidentiality impact (C:L), no integrity impact (I:N), and high availability impact (A:H).
An authenticated user with low privileges can exploit this vulnerability remotely over the network, requiring minimal complexity and no user interaction on the target. Exploitation leads primarily to a denial-of-service, severely disrupting availability, alongside limited confidentiality exposure but without affecting integrity.
The Zoom security bulletin ZSB-25009, available at https://www.zoom.com/en/trust/security-bulletin/zsb-25009/, addresses this issue, with the vulnerability resolved in Zoom Workplace Apps for iOS version 6.3.0 and later.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables remote exploitation of the Zoom iOS app leading to denial-of-service via incorrect behavior order, directly mapping to application or system exploitation under endpoint DoS.