Key Takeaways

- Zoom patched a critical bug that allowed unauthenticated attackers to take over accounts without user interaction
- The flaw affected Zoom Desktop Client and VDI Client for Windows before version 7.0.0
- Security researchers warn that exploitation becomes easier once the patch is reverse-engineered, which AI tools now accelerate
Zoom disclosed and patched a critical security vulnerability this week that could let an unauthenticated attacker take over user accounts through network access alone. No credentials, no user interaction required. For a platform with more than 300 million daily active users and 470,000 paying business customers, the stakes are hard to overstate.
The company released security bulletins Tuesday detailing four flaws, then shipped patches Wednesday. The most severe bug affected Zoom Desktop Client for Windows before version 7.0.0 and Zoom VDI Client for Windows before version 7.0.10. Zoom initially listed Meeting SDK for Windows as impacted, then quietly removed it from the affected products list without explanation.
Why this flaw is "as bad as it gets"
Frank Dickson, group VP for security at IDC, called the vulnerability alarming. "This bug is about as bad as it gets, short of a worm. It is exploitable over the network, low complexity, zero privileges required, no user interaction needed," he said.
The concern extends beyond the initial disclosure. Once technical details leak or someone reverse-engineers the patch, exploitation becomes straightforward. Dickson pointed out that AI tools have lowered the bar significantly. "Yesterday's script kiddies have been empowered," he said.
The silver lining: Zoom discovered the flaw internally, and no in-the-wild exploitation had been reported as of Thursday. That suggests the company's security team caught it before attackers did.
What attackers could do with a hijacked Zoom account
Brian Levine, executive director at FormerGov, emphasized the sensitive data at risk. An attacker with full access to a Zoom account could listen to recordings of confidential meetings, eavesdrop on scheduled calls, and impersonate the organization to social-engineer clients and partners.
"Given the ubiquity of Zoom in large enterprises, this vulnerability is pretty concerning," Levine said. He credited Zoom's security team for "actually doing the hard, unglamorous work of auditing its code."
How the attack likely works
Giuseppe Trotta, principal security researcher at Malwarebytes, offered a theory on the attack vector. Because the vulnerability requires zero privileges and no user interaction, he suspects it involves mishandling of deep links. Custom URL schemes like zoommtg:// or zoomworkplace:// could be the entry point.
If the Zoom Workplace client for Windows fails to properly sanitize incoming arguments passed through these browser-to-desktop links, an attacker could craft a malicious string that tricks the application into exposing session tokens to an attacker-controlled server. The result: silent, complete account takeover.
"Watch out for Zoom links and invites if you are on Windows or VDI and haven't updated yet," Trotta advised.
Three additional privilege escalation bugs
The account takeover flaw grabbed headlines, but Zoom also patched three privilege escalation vulnerabilities. These affected Zoom Workplace for Windows before version 7.0.5, Zoom Rooms for Windows before 7.0.5 and 7.1.0, and Zoom Workplace VDI Plugin for Windows before version 6.6.14.
Privilege escalation bugs let an attacker who already has some access gain higher permissions. Combined with social engineering or another initial access vector, they can turn limited footholds into full system compromise.
Questions about Zoom's development process
Mike Wilkes, enterprise CISO at Aikido Security, praised Zoom for finding the critical flaw but raised process concerns. "This vulnerability raises questions about why the defect was not caught by design review, fuzzing, or pre-release abuse-case testing," he said.
Wilkes pointed to a historical pattern. "A historical defect in Zoom's product/security relationship has been prioritizing ease of use over security risk." The company has faced scrutiny since the pandemic-era "Zoombombing" incidents and encryption controversies. France recently moved to restrict Zoom usage by government employees.
What SaaS operators should do now
If your organization runs Zoom on Windows, update immediately to version 7.0.0 or later for the Desktop Client and 7.0.10 or later for VDI. Check all workstations, not just those managed by IT. Remote workers and contractors often slip through centralized update policies.
Review recent Zoom recordings and meeting logs for any anomalies. If an account was compromised before the patch, the attacker may have accessed meeting content or scheduled future eavesdropping.
For teams that manage sensitive communications through Zoom, consider whether session recording policies and access controls are tight enough. A compromised admin account could exfiltrate months of meeting data.
Logicity's Take
This vulnerability is a reminder that your video conferencing platform holds more sensitive data than your CRM. Zoom competes with Microsoft Teams, Google Meet, and Cisco Webex, all of which have had their own security incidents. The real question for SaaS operators is whether your security review process includes the collaboration tools employees actually use, not just the apps IT officially manages. Zoom's quick patch is good, but the flaw's severity suggests security testing gaps in their SDLC.
Frequently Asked Questions
Which Zoom products were affected by the account takeover vulnerability?
Zoom Desktop Client for Windows before version 7.0.0 and Zoom VDI Client for Windows before version 7.0.10 (and earlier branches 6.6.15 and 6.5.18). Zoom initially listed Meeting SDK for Windows but later removed it.
Was this Zoom vulnerability exploited in the wild?
No in-the-wild exploitation was reported as of Thursday, according to IDC's Frank Dickson. Zoom discovered the flaw internally before attackers could leverage it.
How could an attacker exploit this Zoom security flaw?
The vulnerability required no authentication and no user interaction. Security researchers suspect it involved improper handling of custom URL schemes like zoommtg://, allowing attackers to steal session tokens via malicious links.
What version of Zoom should I update to?
Update to Zoom Desktop Client 7.0.0 or later for the account takeover fix. For privilege escalation bugs, Zoom Workplace should be 7.0.5 or later, and Zoom Rooms should be 7.1.0 or later.
Does this vulnerability affect Zoom on Mac or Linux?
No. All disclosed vulnerabilities in this bulletin affected Windows versions only, including the Desktop Client, VDI Client, Zoom Rooms, and Workplace products.
Enterprise security architecture patterns for protecting sensitive workloads
Need Help Implementing This?
If you're reviewing your organization's video conferencing security posture or need help with vulnerability management processes, reach out to the Logicity team for consulting recommendations.
Source: Computerworld
Huma Shazia
Senior AI & Tech Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.






