Zoom and Xerox have addressed critical security flaws in Zoom Clients for Windows and FreeFlow Core that could allow privilege escalation and remote code execution.
The vulnerability impacting Zoom Clients for Windows, tracked as CVE-2025-49457 (CVSS score: 9.6), relates to a case of an untrusted search path that could pave the way for privilege escalation.
“Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access,” Zoom said in a security bulletin on Tuesday.
The issue, reported by its own Offensive Security team, affects the following products –
- Zoom Workplace for Windows before version 6.3.10
- Zoom Workplace VDI for Windows before version 6.3.10 (except 6.1.16 and 6.2.12)
- Zoom Rooms for Windows before version 6.3.10
- Zoom Rooms Controller for Windows before version 6.3.10
- Zoom Meeting SDK for Windows before version 6.3.10
The disclosure comes as multiple vulnerabilities have been disclosed in Xerox FreeFlow Core, the most severe of which could result in remote code execution. The issues, which have been addressed in version 8.0.4, include –
- CVE-2025-8355 (CVSS score: 7.5) – XML External Entity (XXE) injection vulnerability leading to server-side request forgery (SSRF)
- CVE-2025-8356 (CVSS score: 9.8) – Path traversal vulnerability leading to remote code execution
“These vulnerabilities are rudimentary to exploit and if exploited, could allow an attacker to execute arbitrary commands on the affected system, steal sensitive data, or attempt to move laterally into a given corporate environment to further their attack,” Horizon3.ai said.
