Zoom and Xerox have addressed essential safety flaws in Zoom Purchasers for Home windows and FreeFlow Core that might permit privilege escalation and distant code execution.
The vulnerability impacting Zoom Purchasers for Home windows, tracked as CVE-2025-49457 (CVSS rating: 9.6), pertains to a case of an untrusted search path that might pave the way in which for privilege escalation.
“Untrusted search path in sure Zoom Purchasers for Home windows might permit an unauthenticated person to conduct an escalation of privilege by way of community entry,” Zoom mentioned in a safety bulletin on Tuesday.
The problem, reported by its personal Offensive Safety group, impacts the next merchandise –
- Zoom Office for Home windows earlier than model 6.3.10
- Zoom Office VDI for Home windows earlier than model 6.3.10 (besides 6.1.16 and 6.2.12)
- Zoom Rooms for Home windows earlier than model 6.3.10
- Zoom Rooms Controller for Home windows earlier than model 6.3.10
- Zoom Assembly SDK for Home windows earlier than model 6.3.10
The disclosure comes as a number of vulnerabilities have been disclosed in Xerox FreeFlow Core, essentially the most extreme of which may lead to distant code execution. The problems, which have been addressed in model 8.0.4, embrace –
- CVE-2025-8355 (CVSS rating: 7.5) – XML Exterior Entity (XXE) injection vulnerability resulting in server-side request forgery (SSRF)
- CVE-2025-8356 (CVSS rating: 9.8) – Path traversal vulnerability resulting in distant code execution
“These vulnerabilities are rudimentary to take advantage of and if exploited, may permit an attacker to execute arbitrary instructions on the affected system, steal delicate knowledge, or try to maneuver laterally right into a given company atmosphere to additional their assault,” Horizon3.ai mentioned.
