Local Privilege Escalation in Zoom Client Installer for macOS

Vulnerability

The Zoom Client for Meetings Installer for macOS (Standard and for IT Admin) before version 5.12.6 contains a local privilege escalation vulnerability. A low-privileged user on the system can exploit this vulnerability during the installation process to gain root privileges. The exact code path is triggered while the installer runs with elevated privileges, allowing the attacker to manipulate the installation sequence [1].

Exploitation

An attacker must already have local low-privileged access to the macOS system. No network position or additional authentication is required beyond the initial low-privileged user context. The exploit occurs during the Zoom installer execution; the attacker can intervene in the installation process (for example, through a race condition or improper permission handling) to escalate privileges. The symmetry of the environment may require accurate timing to hijack the installer’s privileged operations [1].

Impact

On successful exploitation, the attacker gains root-level access on the macOS system. This allows full control over the operating system, including reading and writing arbitrary files, installing kernel extensions, and bypassing security restrictions. The impact affects confidentiality, integrity, and availability of the entire system from the low-privilege starting point [1].

Mitigation

Zoom released version 5.12.6 of the Zoom Client for Meetings Installer for macOS (Standard and for IT Admin) that fixes this vulnerability. Users should update to 5.12.6 or later. There is no public workaround other than upgrading, and the vulnerability is not known to be listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].