CVE-2025-27442

Vulnerability

Overview

CVE-2025-27442 is a cross-site scripting (XSS) vulnerability found in multiple Zoom Workplace desktop applications. The issue exists in versions of the Zoom Workplace Desktop App for Windows and macOS prior to 6.3.10, and for Linux prior to 6.31.0 [1]. The root cause is insufficient sanitization of user-controlled input, allowing an attacker to inject arbitrary script code into a trusted Zoom session.

Exploitation

Conditions

An unauthenticated attacker can exploit this flaw by being on the same adjacent network as a victim, such as a shared Wi-Fi or wired local network segment. The vector string (CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) confirms that no authentication is required, and user interaction (e.g., clicking a malicious link or opening a crafted message) is necessary [1]. Adjacent network access is the primary attack surface, meaning remote exploitation from the internet is not possible.

Impact

Successful exploitation leads to a loss of integrity, as the attacker can perform actions within the context of the victim's Zoom session. This may include modifying displayed content or tricking the user into performing unintended actions. The confidentiality impact is limited (Low), as the XSS may also expose some session data [1].

Mitigation

Zoom has addressed this vulnerability by releasing updated versions of the affected apps. Users are advised to update to Zoom Workplace Desktop App for Windows/macOS version 6.3.10 or later, and Linux version 6.31.0 or later. These updates are available from the official Zoom download center [1]. No workarounds are documented; applying the latest patch is the recommended course of action.