Nvidia, Zoom, and Zyxel this week announced fixes for multiple high-severity vulnerabilities in their products, urging users to update devices as soon as possible.
Nvidia released patches for three security defects in Container Toolkit and GPU Operator for Linux, including two high-severity improper isolation bugs that could be exploited using crafted container images.
The first issue, tracked as CVE-2024-0135, could lead to the modification of a host binary, while the second, tracked as CVE-2024-0136, could lead to untrusted code gaining read and write access to host devices.
In both cases, successful exploitation could result in code execution, privilege escalation, denial-of-service (DoS), information disclosure, and data tampering, but the second flaw only impacts Container Toolkit deployments that are configured in a nondefault way.
Both vulnerabilities were resolved in Container Toolkit version 1.17.1 and GPU Operator version 24.9.1, which also address a medium-severity improper isolation vulnerability that could lead to untrusted code running in the host’s network namespace, which is tracked as CVE-2024-0137.
Zoom rolled out patches for a high-severity type confusion issue in the Workplace app for Linux that could allow authenticated network attackers to escalate privileges. Tracked as CVE-2025-0147, the flaw also impacts Meeting SDK for Linux and Video SDK for Linux.
The company also resolved medium- and low-severity vulnerabilities in the installers for Workplace apps for macOS and Windows, in the Workplace apps for desktop and mobile devices, and in the Jenkins bot plugin.
On Tuesday, Zyxel announced fixes for an improper privilege management flaw in the web interface of 23 access point and router models. The bug is tracked as CVE-2024-12398 (CVSS score of 8.8).
“The improper privilege management vulnerability in the web management interface of certain AP and security router firmware versions could allow an authenticated user with limited privileges to escalate their privileges to that of an administrator, enabling them to upload configuration files to a vulnerable device,” Zyxel notes.
According to a NIST advisory, the security defect impacts Zyxel WBE530 firmware versions through 7.00(ACLE.3) and WBE660S firmware versions through 6.70(ACGG.2). The company has released patches for 22 access point models and one router model.
Zyxel makes no mention of the vulnerability being exploited in the wild, but threat actors are known to have targeted flaws in Zyxel products.
Related: ICS Patch Tuesday: Security Advisories Published by Schneider, Siemens, Phoenix Contact, CISA
Related: CISA Warns of Second BeyondTrust Vulnerability Exploited in Attacks
Related: CoSAI: Tech Giants Form Coalition for Secure AI
Related: Tech CEOs Altman, Nadella, Pichai and Others Join Government AI Safety Board Led by DHS’ Mayorkas
