Overview
CVE-2025-64739 is a medium severity vulnerability affecting certain Zoom Clients. This vulnerability allows an unauthenticated attacker with network access to potentially disclose sensitive information by manipulating file names or paths. The vulnerability stems from improper handling of external input related to file operations within the affected Zoom Clients.
Technical Details
The root cause of CVE-2025-64739 lies in the Zoom Client’s susceptibility to external control of file names or paths. Specifically, an unauthenticated attacker could potentially craft malicious network requests that influence how the Zoom Client handles file operations (e.g., logging, temporary file creation). By manipulating these file names or paths, an attacker could potentially induce the Zoom Client to disclose information that it would normally keep private. This information could include configuration details, temporary files containing session information, or other sensitive data, depending on the specific implementation.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) provides a standardized method for rating the severity of security vulnerabilities. Here’s a breakdown for CVE-2025-64739:
- CVSS Score: 4.3 (Medium)
- Vector: (Hypothetical – depends on specific CVSS vector string; this would be filled in upon vector string’s creation during the Zoom bulletin)
This score reflects the vulnerability’s medium severity, primarily due to the requirement of network access and the potential for information disclosure, but with potential limitations on the scope or impact of the disclosed information.
Possible Impact
Successful exploitation of CVE-2025-64739 could lead to the following:
- Information Disclosure: An attacker could potentially gain access to sensitive information, such as configuration details, temporary files, or other internal data.
- Potential for Further Exploitation: Disclosed information could be used to further compromise the system or network, although this is less direct.
The severity of the impact depends on the specific information that is disclosed and the attacker’s ability to leverage that information.
Mitigation and Patch Steps
The primary mitigation strategy is to update your Zoom Client to the latest version as soon as possible. Zoom has released a patch to address this vulnerability.
- Update Zoom Client: Download and install the latest version of the Zoom Client from the official Zoom website.
- Monitor Zoom Security Bulletins: Stay informed about the latest security updates and advisories from Zoom.