Security Experts:

Connect with us

Hi, what are you looking for?



Google Discloses Details of Zoom Zero-Click Remote Code Execution Exploit

Google’s Project Zero has disclosed the details of a zero-click remote code execution exploit targeting the Zoom video conferencing software.

Google’s Project Zero has disclosed the details of a zero-click remote code execution exploit targeting the Zoom video conferencing software.

Project Zero’s Ivan Fratric has described an exploit chain that can be used by a malicious actor to compromise a Zoom user over the chat feature — without user interaction — by sending them a message over the XMPP protocol. Part of Fratric’s exploit chain has been dubbed “XMPP Stanza Smuggling.”

Fratric has described a total of six vulnerabilities. Two of the flaws, tracked as CVE-2022-25235 and CVE-2022-25236, actually impact the popular open source XML parser Expat.

Since the library is used in many projects, several major vendors have released advisories to inform their customers about the impact of these and other Expat vulnerabilities, including IBM, Aruba, various Linux distributions, Oracle, and F5.

The Zoom-specific vulnerabilities found by Fratric have been described by Zoom as high- and medium-severity issues related to improper XML parsing (CVE-2022-22784), update package downgrading (CVE-2022-22786), insufficient hostname validation (​​CVE-2022-22787), and improperly constrained session cookies (CVE-2022-22785).

CVE-2022-22786 affects Zoom Client for Meetings for Windows and Zoom Rooms for Conference Room for Windows. The rest affect Zoom Client for Meetings on all desktop and mobile platforms.

Zoom patched server-side issues in February and client-side vulnerabilities at a later date — Zoom says in version 5.10.0 (released in March) and Fratric says in version 5.10.4 (released in April).

Google Project Zero has made Fratric’s bug report and proof-of-concept (PoC) exploits public.

“[The XMPP Stanza Smuggling vulnerability] abuses parsing inconsistencies between XML parsers on Zoom’s client and server in order to be able to ‘smuggle’ arbitrary XMPP stanzas to the victim client. From there, by sending a specially crafted control stanza, the attacker can force the victim client to connect to a malicious server, thus turning this primitive into a man-in-the-middle attack,” the researcher explained.

“Finally, by intercepting/modifying client update requests/responses, the victim client downloads and executes a malicious update, resulting in arbitrary code execution. A client downgrade attack is utilized to bypass signature check on the update installer,” he added.

This is not the first time Google Project Zero researchers have found potentially serious vulnerabilities in the Zoom video conferencing platform. However, currently there are no reports of Zoom flaws being exploited in the wild.

Related: Details Disclosed for Zoom Exploit That Earned Researchers $200,000

Related: $200,000 Awarded for Zero-Click Zoom Exploit at Pwn2Own

Related: Zoom Is 16th CVE Numbering Authority Appointed in 2021

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.