Cyber999 Advisories

1.0 Introduction
Recently, Zoom has released security updates to address the multiple vulnerabilities in its products.

2.0 Impact
These vulnerabilities could allow attacker to escalate privileges, cause denial-of-service (DoS), read sensitive memory, or bypass security controls.

3.0 Affected Products

• CVE-2025-30663 (High): Time-of-check Time-of-use (TOCTOU) race condition, allowing privilege escalation on all platforms.
• CVE-2025-30668 (Medium): Integer underflow in Windows client, potentially leading to application crashes or code execution.
• CVE-2025-46786, CVE-2025-46787 (Medium): Improper neutralization of special elements, enabling injection of malicious inputs on all platforms.
• CVE-2025-46785 (Medium): Buffer over-read in Windows client, which could expose sensitive memory or cause instability.
• CVE-2025-30667 (Medium): NULL pointer dereference on all platforms, potentially resulting in DoS or arbitrary code execution.
• CVE-2025-30665, CVE-2025-30666 (Medium): NULL pointer dereference in Windows client, leading to application crash or privilege escalation.
• CVE-2025-30664 (Medium): Improper neutralization of special elements, allowing security control bypass on all platforms.

4.0 Recommendations
Users and system administrators are encouraged to review the Zoom Security Bulletin and upgrade to the latest version.

Kindly refer to the URL for more information:

• https://www.zoom.com/en/trust/security-bulletin/ZSB-25016/
• https://www.zoom.com/en/trust/security-bulletin/ZSB-25017/
• https://www.zoom.com/en/trust/security-bulletin/ZSB-25018/
• https://www.zoom.com/en/trust/security-bulletin/ZSB-25019/
• https://www.zoom.com/en/trust/security-bulletin/ZSB-25021/
• https://www.zoom.com/en/trust/security-bulletin/ZSB-25022/
• https://www.zoom.com/en/trust/security-bulletin/ZSB-25020/
• https://www.zoom.com/en/trust/security-bulletin/ZSB-25015/

Generally, CyberSecurity Malaysia advises the users to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact us through the following channels:

E-mail: cyber999[at]cybersecurity.my 
Phone: 1-300-88-2999 (monitored during business hours) 
Mobile: +60 19 2665850 (24x7 call incident reporting) 
Business Hours: Mon - Fri 08:30 -17:30 MYT 
Web: https://www.mycert.org.my 

6.0 References

• https://www.zoom.com/en/trust/security-bulletin/
• https://www.zoom.com/en/trust/security-bulletin/ZSB-25016/
• https://www.zoom.com/en/trust/security-bulletin/ZSB-25017/
• https://www.zoom.com/en/trust/security-bulletin/ZSB-25018/
• https://www.zoom.com/en/trust/security-bulletin/ZSB-25019/
• https://www.zoom.com/en/trust/security-bulletin/ZSB-25021/
• https://www.zoom.com/en/trust/security-bulletin/ZSB-25022/
• https://www.zoom.com/en/trust/security-bulletin/ZSB-25020/
• https://www.zoom.com/en/trust/security-bulletin/ZSB-25015/