Zoom has released several new security bulletins addressing vulnerabilities across its Workplace platform, affecting users on Android, Windows, macOS, and virtual desktop infrastructure (VDI) clients.

The latest disclosures include two high-severity flaws. One could let attackers bypass access controls on Android devices, and another involves improper signature validation in the Windows VDI client.

Several medium-severity issues were also identified, including weaknesses in file path handling and application stability.

These disclosures come amid growing scrutiny of the security of remote collaboration tools, as threat actors continue to target platforms that support hybrid work. While Zoom hasn’t reported evidence of active exploitation, independent researchers warn the flaws could pose risks if used together.

Each issue has been assigned a CVE, and users are urged to update affected clients promptly to reduce the chance of unauthorized access or service disruption.

Why It Matters: Security gaps in communication software extend beyond meeting access. Weak verification and unstable performance can open paths to data leaks or unauthorized activity. When combined, these flaws could give attackers wide control over user environments. Keeping all platforms updated remains one of the most effective ways to prevent disruption and data loss.

• Zoom Workplace for Android: Improper Authorization Handling (CVE-2025-64741 – ZSB-25043): In affected versions of Zoom Workplace for Android, permission validation does not function correctly. This flaw makes it possible for unauthorized users to carry out actions typically restricted to authenticated sessions. Attackers could exploit this to join meetings without being invited or access data shared within active sessions. The issue affects builds released before the most recent patch, where access control checks are incomplete during network requests.

• Zoom Workplace VDI Client for Windows: Signature Verification Failure (CVE-2025-64740 – ZSB-25042): The VDI client on Windows systems fails to properly verify digital signatures during the update process. As a result, the client may accept modified or untrusted software packages without detecting tampering. This creates a scenario where attackers can deliver altered files that appear legitimate. Such weaknesses have previously enabled supply chain compromises in other environments, raising concern about the risk of malware propagation through trusted delivery channels.

• Zoom Clients on Windows and macOS: File Path Manipulation (CVE-2025-64739 – ZSB-25041): A medium-severity flaw affecting various Zoom clients allows external input to control file paths and filenames. When exploited, this can redirect file operations to unintended or unprotected locations. On its own, the issue may expose sensitive data or disrupt normal application behavior. When paired with other vulnerabilities, it could also enable code execution or manipulation of internal files.

• Zoom Workplace for macOS: Directory Traversal Vulnerability (CVE-2025-64738 – ZSB-25040): A separate but related flaw affects the macOS version of Zoom Workplace. Through crafted input, attackers can perform directory traversal, targeting areas outside the intended file system boundaries. This could result in critical files being overwritten or manipulated. The flaw mirrors file system issues commonly found in web applications, but its presence in a desktop environment introduces new risk for endpoint systems.

• Zoom Workplace for Windows: Application Instability from Null References (CVE-2025-30670 and CVE-2025-30671 – ZSB-25015): These medium-severity bugs, first documented in April and expanded in the November bulletin, involve improper handling of null pointers within the Windows version of Zoom Workplace. When triggered, they can cause the application to crash or stop responding. While these flaws do not allow for code execution, repeated crashes could interrupt ongoing sessions or create a denial-of-service condition, especially in environments that rely on continuous availability.

Go Deeper -> Zoom Vulnerabilities Let Attackers Bypass Access Controls to Access Session Data – Cyber Security News