Multiple DoS, Info Disclosure, XSS Vulnerabilities in Zoom

• CVE-2025-46788: A certificate validation failure in Zoom Workplace for Linux prior to version 6.4.13 allows attackers to spoof trusted certificates, potentially enabling man-in-the-middle (MitM) attacks. This vulnerability is rated High severity with cvss 7.4.
• CVE-2025-46789: A buffer overflow vulnerability in Zoom Workplace for Windows versions below 6.4.5 may result in application crashes or arbitrary code execution. This vulnerability is rated Medium severity with cvss 6.5.
• CVE-2025-49462: A cross-site scripting flaw affects Zoom’s cross-platform Workplace client versions below 6.4.5, which could allow attackers to inject malicious scripts into user sessions. This vulnerability is rated Low severity with cvss 3.5.
• CVE-2025-49463: A control-flow integrity flaw in Zoom Workplace for iOS versions before 6.4.5 may permit attackers to manipulate app behavior. This vulnerability is rated Medium severity with cvss 6.5.

CVE-2025-49464: This identifier covers two separate vulnerabilities—a buffer overflow in Zoom Workplace for Windows and improper authentication in macOS, both in versions prior to 6.4.5. These flaws may lead to denial of service or unauthorized access. This vulnerability is rated Medium severity with cvss 6.5.

RECOMMENDATION:

We strongly recommend you update Zoom Workplace to version 6.4.5 on Windows, macOS and to version 6.4.13 on Linux.

REFERENCES:

The following reports contain further technical details:

• https://securityonline.info/zoom-patches-6-flaws-dos-info-disclosure-xss-across-all-platforms/