Zoom and Xerox have addressed critical security flaws in Zoom Clients for Windows and FreeFlow Core that could allow privilege escalation and remote code execution.
The vulnerability impacting Zoom Clients for Windows, tracked as CVE-2025-49457 (CVSS score: 9.6), relates to a case of an untrusted search path that could pave the way for privilege escalation.
"Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access," Zoom said in a security bulletin on Tuesday.
The issue, reported by its own Offensive Security team, affects the following products -
- Zoom Workplace for Windows before version 6.3.10
- Zoom Workplace VDI for Windows before version 6.3.10 (except 6.1.16 and 6.2.12)
- Zoom Rooms for Windows before version 6.3.10
- Zoom Rooms Controller for Windows before version 6.3.10
- Zoom Meeting SDK for Windows before version 6.3.10
The disclosure comes as multiple vulnerabilities have been disclosed in Xerox FreeFlow Core, the most severe of which could result in remote code execution. The issues, which have been addressed in version 8.0.4, include -
- CVE-2025-8355 (CVSS score: 7.5) - XML External Entity (XXE) injection vulnerability leading to server-side request forgery (SSRF)
- CVE-2025-8356 (CVSS score: 9.8) - Path traversal vulnerability leading to remote code execution
"These vulnerabilities are rudimentary to exploit and if exploited, could allow an attacker to execute arbitrary commands on the affected system, steal sensitive data, or attempt to move laterally into a given corporate environment to further their attack," Horizon3.ai said.
The cybersecurity company said CVE-2025-8355 stems from the fact the binary ("jmfclient.jar") responsible for handling Job Message Format (JMF) messages, which contain commands for managing print jobs and reporting their status, included an XML parsing utility that did not sanitize or limit usage of XML External Entities. As a result, an attacker could send a specially crafted request to perform SSRF attacks.
CVE-2025-8356, on the other hand, has to do with the XML parsing routine's inadequate handling of JMF commands related to file upload and processing, opening the door for a path traversal attack. This vulnerability could be weaponized to drop a web shell in a publicly accessible location via a crafted HTTP request.
"While the service on port 4004 doesn't contain any features that would allow this file to be served, the primary web portals provide all the necessary functionality for executing and serving our malicious payload," security researcher Jimi Sebree said.
