Zoom On-Premise Deployments: Improper Access Control Vulnerability

Vulnerability

CVE-2022-28754 is an improper access control vulnerability in Zoom On-Premise Meeting Connector MMR versions before 4.8.129.20220714 [1]. The flaw exists in the meeting connector component handling participant authorization and meeting role management. The vulnerability allows an authorized user to bypass normal meeting participation controls.

Exploitation

An attacker who is authorized to join a meeting (i.e., has valid meeting credentials or is invited) can exploit this flaw by simply joining the meeting; no special tools or authentication beyond being a legitimate participant are required. The attacker can join without appearing to other participants, admit themselves from the waiting room without host approval, and escalate their privileges to host [1].

Impact

A successful exploit allows the attacker to become invisible to other participants, bypass waiting room restrictions, and gain host privileges. This can lead to meeting disruptions including unauthorized control over meeting settings, ability to mute or remove participants, and overall compromise of meeting confidentiality and integrity [1].

Mitigation

Zoom released the fix in version 4.8.129.20220714 of the On-Premise Meeting Connector MMR [1]. Users should update to this version or later immediately. No workarounds have been published by Zoom. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.