Zoom and Xerox address critical security flaws in Windows and FreeFlow Core zoom clients that allow privilege escalation and remote code execution.
The vulnerability affecting Windows Zoom clients tracked as CVE-2025-49457 (CVSS score: 9.6) is related to cases of untrusted search paths that could pave the way for privilege escalation.
“Untrusted search paths for certain Windows Zoom clients may allow unauthorized users to escalate privileges via network access,” Zoom said in a security bulletin Tuesday.
This issue reported by its own attack security team affects the following products –
Zoom Zoom for Window Version 6.3.10 Zoom Zoom Zoom Workplace VDI Version 6.3.10 (except 6.1.16 and 6.2.12) Zoom Room 6.3.10 Zoom Room Controller for previous windows
This disclosure occurs because several vulnerabilities have been disclosed in Xerox Freeflow Core, the most serious of which could lead to remote code execution. Issues addressed in version 8.0.4 include:
CVE-2025-8355 (CVSS score: 7.5) – XML External Entity (XXE) Injection Vulnerability Server-Side Request Forged (SSRF) CVE-2025-8356 (CVSS score: 9.8) – Path traversal vulnerability leading to remote code execution
“These vulnerabilities are rudimentary to exploit, and if exploited, could allow an attacker to execute arbitrary commands on the affected system, steal sensitive data, or promote attacks to try to move sideways into a particular corporate environment.
Source link
