Zoom and Xerox have addressed essential security flaws in Zoom Shoppers for Home windows and FreeFlow Core that would permit privilege escalation and distant code execution.
The vulnerability impacting Zoom Shoppers for Home windows, tracked as CVE-2025-49457 (CVSS rating: 9.6), pertains to a case of an untrusted search path that would pave the way in which for privilege escalation.
“Untrusted search path in sure Zoom Shoppers for Home windows could permit an unauthenticated person to conduct an escalation of privilege by way of community entry,” Zoom stated in a security bulletin on Tuesday.
The difficulty, reported by its personal Offensive Safety workforce, impacts the next merchandise –
- Zoom Office for Home windows earlier than model 6.3.10
- Zoom Office VDI for Home windows earlier than model 6.3.10 (besides 6.1.16 and 6.2.12)
- Zoom Rooms for Home windows earlier than model 6.3.10
- Zoom Rooms Controller for Home windows earlier than model 6.3.10
- Zoom Assembly SDK for Home windows earlier than model 6.3.10
The disclosure comes as a number of vulnerabilities have been disclosed in Xerox FreeFlow Core, probably the most extreme of which may end in distant code execution. The problems, which have been addressed in model 8.0.4, embrace –
- CVE-2025-8355 (CVSS rating: 7.5) – XML Exterior Entity (XXE) injection vulnerability resulting in server-side request forgery (SSRF)
- CVE-2025-8356 (CVSS rating: 9.8) – Path traversal vulnerability resulting in distant code execution
“These vulnerabilities are rudimentary to take advantage of and if exploited, may permit an attacker to execute arbitrary instructions on the affected system, steal delicate information, or try to maneuver laterally right into a given company setting to additional their assault,” Horizon3.ai stated.
