Security researchers discovered a zero-day vulnerability in video conferencing platform Zoom which can be used by threat actors to launch remote code execution (RCE) attacks.

The flaw was discovered as part of the Pwn2Own contest, organized by cybersecurity firm Trend Micro’s Zero Day Initiative (ZDI). The competition is designed for white-hat cybersecurity specialists who take part in the discovery of zero-day vulnerabilities in popular software and services.

Daan Keuper and Thijs Alkemade, from the Netherlands-based Computest, won $200,000 for their Zoom discovery.

The researchers revealed a three-bug attack chain that caused an RCE on a target machine, without any form of user interaction.

Since Zoom has not yet had time to patch the security issue, the specific technical details of the vulnerability have not been made public. It is a standard practice to offer vendors a 90-day window to fix a newly discovered security flaw.

However, the Zero Day Initiative posted an animated gif of the attack to demonstrate how a threat actor was able to open the calculator program of a PC running Zoom following its exploit.

According to a Malwarebytes report, the attack works on the Windows and Mac versions of the Zoom software, but it does not affect the browser version. It is not clear whether the iOS and Android apps are vulnerable since Keuper and Alkemade did not look into them.

Following the discovery, Zoom expressed its gratitude to the winning team saying

We are working to mitigate this issue with respect to Zoom Chat, our group messaging product. In-session chat in Zoom Meetings and Zoom Video Webinars are not impacted by the issue. The attack must also originate from an accepted external contact or be a part of the target’s same organizational account.
As a best practice, Zoom recommends that all users only accept contact requests from individuals they know and trust. If you think you’ve found a security issue with Zoom products, please send a detailed report to our Vulnerability Disclosure Program in our Trust Center.


For the time being, the only ones that know how the vulnerability works are the two cybersecurity researchers and Zoom. As long as it stays that way there is not much that Zoom users have to worry about. The chances of this attack being used in the wild are low, but if you’re concerned, you can use the Zoom browser interface until a patch is released.

SECURITY ALERT: Zoom Video Phishing Emails Targeting Corporate HVTs (UPDATED)

SECURITY ALERT: Zoom Under Scrutiny in Wake of UNC Patch Injection Issue Disclosure

Leave a Reply

Your email address will not be published. Required fields are marked *