Critical Zoom Vulnerability Exposes Windows Users to Attacks

A vulnerability has been identified in the Zoom Workplace Virtual Desktop Infrastructure (VDI) Client for Windows, potentially allowing attackers to escalate privileges on affected systems.

The flaw was disclosed in Zoom’s recent security bulletin.

Inside the Zoom Vulnerability

The vulnerability (CVE-2025-64740) originates from improper verification of cryptographic signatures in the Zoom Workplace VDI Client for Windows installer. 

Normally, digital signatures confirm the authenticity and integrity of software, ensuring it was issued by a trusted vendor and has not been altered. 

In this case, the installer fails to fully validate those signatures, meaning an authenticated local user — such as a standard account holder or an attacker with limited system access — could manipulate the installation process. 

By introducing tampered components that appear legitimate, the attacker could run malicious code under trusted permissions. 

Although the flaw is not exploited remotely, it allows local users to escalate privileges when the installer runs with elevated rights.

Once exploited, the vulnerability enables attackers to gain administrative or SYSTEM-level control, allowing them to execute unauthorized commands, install persistent malware, and access sensitive files. 

This elevation of privilege can facilitate lateral movement across networks, bypassing defenses and compromising additional systems. 

Defenders should remain alert for signs of exploitation, such as unexpected installer activity, mismatched digital signatures, or abnormal elevation events detected by endpoint monitoring tools.  

Affected Versions

According to the security bulletin, the vulnerability impacts Zoom Workplace VDI Client for Windows versions prior to 6.3.14, 6.4.12, and 6.5.10. 

The exploitation requires local access and user interaction, making it moderately complex to execute.  

The root cause lies in the improper cryptographic verification process during installation. 

Essentially, the installer fails to validate whether the software being executed is legitimate or has been tampered with. 

This flaw opens an opportunity for malicious actors to inject harmful code into the installation process under the guise of a trusted application.

Building Layers of Defense 

While applying Zoom’s latest security patch is a critical step in addressing CVE-2025-64740, patching alone may not fully eliminate the risk of exploitation. 

Organizations should also adopt additional defensive measures that strengthen their overall security posture and reduce opportunities for privilege escalation.

• Apply the principle of least privilege: Limit user permissions, disable unnecessary local administrator accounts, and enforce multi-factor authentication (MFA) for administrative actions to reduce privilege abuse.
• Use centralized and controlled software deployment: Manage Zoom and other applications through secure enterprise deployment tools rather than allowing manual local installations.
• Implement code integrity and application controls: Enforce trusted execution policies using tools to ensure only verified, signed software can run.
• Enhance endpoint and network monitoring: Utilize EDR or SIEM solutions to detect abnormal privilege escalations, unsigned binaries, and lateral movement attempts across the network.
• Strengthen change management and audit practices: Require approval and logging for software installations, regularly audit system configurations, and validate installer authenticity through digital signature checks.
• Promote security awareness and safe installation habits: Train employees to download software only from official sources, recognize tampering or unexpected installer prompts, and report suspicious system activity promptly.

By implementing these measures alongside timely patching, organizations can reduce their exposure to privilege escalation attacks.

The disclosure of CVE-2025-64740 underscores the critical importance of maintaining software integrity and practicing proactive security management. 

As threat actors increasingly leverage artificial intelligence (AI) to accelerate the development of exploits for newly reported vulnerabilities, organizations must act swiftly and adopt layered defenses to stay ahead of emerging threats.

To strengthen these defenses and reduce the impact of future vulnerabilities, many organizations are turning to zero-trust security tools that continuously verify users, devices, and applications before granting access.