Connect with us

Hi, what are you looking for?


Identity & Access

Zoom Conferencing App Exposes Enterprises to Attacks

A potentially serious vulnerability discovered by researchers in the Zoom video conferencing application can allow external attackers or malicious insiders to hijack screen controls, spoof chat messages, and remove attendees from a session.

A potentially serious vulnerability discovered by researchers in the Zoom video conferencing application can allow external attackers or malicious insiders to hijack screen controls, spoof chat messages, and remove attendees from a session.

Tenable researcher David Wells discovered recently that the Zoom applications for Windows and macOS are affected by a vulnerability that can be exploited by an unauthorized user to invoke functions normally reserved for Zoom servers.

The security hole, whose exploitation requires sending specially crafted UDP packets, can be used by a malicious insider who has access to the targeted meeting, by an attacker with access to the local network, or by a remote hacker over the Internet.

“This bug is due to the fact that Zoom’s internal messaging pump (util.dll!ssb::events_t::loop) dispatches both client User Datagram Protocol (UDP) and server Transmission Control Protocol (TCP) messages (from util.dll!ssb::select_t::loop) to the same message handler in ssb_sdk.dll. This allows an attacker to craft and send UDP packets which get interpreted as messages processed from the trusted TCP channel used by authorized Zoom servers,” Tenable explained.

The flaw can be exploited to bypass screen control permissions and hijack a meeting attendee’s desktop by sending keystrokes and mouse movements, to send chat messages impersonating other users, or remove and lock out users.

Tenable has published a video and a proof-of-concept (PoC) exploit that show how an attacker can take control of the meeting presenter’s screen and open the calculator on their device.

The security firm noted that exploitation requires knowledge of an attendee’s IP address, the IP of the Zoom server, and the attendee’s ID. This last piece of information can be easily brute-forced, the company said.

Advertisement. Scroll to continue reading.

In order to exploit this vulnerability from the Internet, an attacker would have to be able to spoof a public IP in a UDP packet. However, Tenable has admitted that this is a theoretical attack scenario that it has not tested.

“In this scenario, the remote attacker could exploit this vulnerability by spoofing the WAN IP and trivially brute force the source port the victim is using for the UDP session with the Zoom server while the meeting is live,” the company explained.

Tenable informed Zoom of the vulnerability on October 11 and it was patched on November 19 with the release of version 4.1.34814.1119 for Windows and version 4.1.34801.1116 for macOS. However, the vendor’s release notes only list “minor bug fixes” and don’t mention any security flaws.

Tenable noted that such a vulnerability can pose a serious risk to organizations. In this case, Zoom claims its video communications platform is used by more than 750,000 companies.

Related: Critical Vulnerability Patched in Cisco Conferencing Product

Related: Cisco Releases Second Patch for Webex Meetings Vulnerability

Related: Critical Vulnerability Impacts Hundreds of Thousands of IoT Cameras

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...