Zoom has disclosed two critical security vulnerabilities in its Zoom Rooms software for Windows and macOS, which could allow attackers with local access to escalate privileges or expose sensitive information.
Tracked as ZSB-25050 and ZSB-25051, these flaws affect versions prior to 6.6.0 and carry high-to-medium CVSS scores. Organizations relying on Zoom Rooms for conference setups face elevated risks in shared environments like boardrooms or huddle spaces.
The issues stem from a software downgrade protection failure on Windows and improper external control of file names on macOS, both of which are exploitable via local access. Security teams urge immediate patching to prevent unauthorized privilege gains or data disclosures.
Windows Software Downgrade Protection Bypassed (ZSB-25050)
Zoom Rooms for Windows before version 6.6.0 suffers from a protection mechanism failure, enabling unauthenticated local users to escalate privileges. This high-severity flaw, reported by an anonymous researcher, could let attackers gain elevated control over the system.
BulletinCVE IDCVSS SeverityCVSS ScoreVector StringDescriptionZSB-25050CVE-2025-67460High7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HSoftware downgrade protection failure allows unauthenticated privilege escalation via local access.
Affected Products: Zoom Rooms for Windows < 6.6.0
macOS File Path Control Vulnerability (ZSB-25051)
On macOS, an authenticated user can exploit external control of file names or paths to disclose sensitive information. This medium-risk issue requires user interaction but could leak confidential data in enterprise deployments.
BulletinCVE IDCVSS SeverityCVSS ScoreVector StringDescriptionZSB-25051CVE-2025-67461Medium5.0CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:NExternal control of file name/path allows info disclosure via local access.
Affected Products: Zoom Rooms for macOS < 6.6.0
Zoom recommends updating to version 6.6.0 or later via the official download page. No evidence of active exploitation exists yet, but the local-access vector suits insider threats or compromised endpoints.
These flaws highlight ongoing risks in collaboration tools, especially post-hybrid work shifts. Enterprises should audit Zoom Rooms deployments, enforce least-privilege access, and monitor for downgrade attempts.
CISA has not yet issued alerts, but vulnerability trackers like NVD will soon list these CVEs.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Zoom Rooms for Windows and macOS Flaws Enable Privilege Escalation and Sensitive Data Leaks appeared first on Cyber Security News.
