Google’s Project Zero has disclosed the details of a zero-click remote code execution exploit targeting the Zoom video conferencing software.
Project Zero’s Ivan Fratric has described an exploit chain that can be used by a malicious actor to compromise a Zoom user over the chat feature — without user interaction — by sending them a message over the XMPP protocol. Part of Fratric’s exploit chain has been dubbed “XMPP Stanza Smuggling.”
Fratric has described a total of six vulnerabilities. Two of the flaws, tracked as CVE-2022-25235 and CVE-2022-25236, actually impact the popular open source XML parser Expat.
Since the library is used in many projects, several major vendors have released advisories to inform their customers about the impact of these and other Expat vulnerabilities, including IBM, Aruba, various Linux distributions, Oracle, and F5.
The Zoom-specific vulnerabilities found by Fratric have been described by Zoom as high- and medium-severity issues related to improper XML parsing (CVE-2022-22784), update package downgrading (CVE-2022-22786), insufficient hostname validation (CVE-2022-22787), and improperly constrained session cookies (CVE-2022-22785).
CVE-2022-22786 affects Zoom Client for Meetings for Windows and Zoom Rooms for Conference Room for Windows. The rest affect Zoom Client for Meetings on all desktop and mobile platforms.
Zoom patched server-side issues in February and client-side vulnerabilities at a later date — Zoom says in version 5.10.0 (released in March) and Fratric says in version 5.10.4 (released in April).
Google Project Zero has made Fratric’s bug report and proof-of-concept (PoC) exploits public.
“[The XMPP Stanza Smuggling vulnerability] abuses parsing inconsistencies between XML parsers on Zoom’s client and server in order to be able to ‘smuggle’ arbitrary XMPP stanzas to the victim client. From there, by sending a specially crafted control stanza, the attacker can force the victim client to connect to a malicious server, thus turning this primitive into a man-in-the-middle attack,” the researcher explained.
“Finally, by intercepting/modifying client update requests/responses, the victim client downloads and executes a malicious update, resulting in arbitrary code execution. A client downgrade attack is utilized to bypass signature check on the update installer,” he added.
This is not the first time Google Project Zero researchers have found potentially serious vulnerabilities in the Zoom video conferencing platform. However, currently there are no reports of Zoom flaws being exploited in the wild.
Related: Details Disclosed for Zoom Exploit That Earned Researchers $200,000
Related: $200,000 Awarded for Zero-Click Zoom Exploit at Pwn2Own
Related: Zoom Is 16th CVE Numbering Authority Appointed in 2021

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Unpatched Security Flaws Expose Water Pump Controllers to Remote Hacker Attacks
- 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component
- OpenSSL 1.1.1 Nears End of Life: Security Updates Only Until September 2023
- Google Links More iOS, Android Zero-Day Exploits to Spyware Vendors
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- Thousands Access Fake DDoS-for-Hire Websites Set Up by UK Police
Latest News
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Report: Chinese State-Sponsored Hacking Group Highly Active
- Votiro Raises $11.5 Million to Prevent File-Borne Threats
- Lumen Technologies Hit by Two Cyberattacks
- Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
- Anti-Bot Software Firm DataDome Banks $42M Financing
