Overview

Zoom and Xerox have addressed critical security flaws in Zoom Clients for Windows and FreeFlow Core that could allow privilege escalation and remote code execution.

Zoom:

The vulnerability impacting Zoom Clients for Windows, tracked as CVE-2025-49457 (CVSS score: 9.6), relates to a case of an untrusted search path that could pave the way for privilege escalation.

“Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access,” Zoom said in a security bulletin on Tuesday.

Xerox:

Multiple vulnerabilities have been disclosed in Xerox FreeFlow Core, the most severe of which could result in remote code execution. The issues, which have been addressed in version 8.0.4, include –

  • CVE-2025-8355 (CVSS score: 7.5) – XML External Entity (XXE) injection vulnerability leading to server-side request forgery (SSRF)
  • CVE-2025-8356 (CVSS score: 9.8) – Path traversal vulnerability leading to remote code execution

 

Affected Devices

Zoom:

  • Zoom Workplace for Windows before version 6.3.10
  • Zoom Workplace VDI for Windows before version 6.3.10 (except 6.1.16 and 6.2.12)
  • Zoom Rooms for Windows before version 6.3.10
  • Zoom Rooms Controller for Windows before version 6.3.10
  • Zoom Meeting SDK for Windows before version 6.3.10

Xerox:

  • FreeFlow Core: Versions prior to 8.0.5

 

Recommended Remediations

ctrl:cyber strongly recommends the following actions to mitigate the risk:

  • Apply the latest patches for the above software. Links can be found below;
    Zoom Update Guide
    Xerox Update Guide
  • Periodically review all systems and applications for vulnerabilities and compliance with security best practices.
  • Make sure employees are aware of potential social engineering attacks that could exploit these vulnerabilities.