May 29, 2023

Zoom has issued a patch for a vulnerability that could lead to a system takeover.

The vulnerability, tracked as CVE-2022-28756 with a CVSS of 8.8, was found in Zoom for macOS versions 5.7.3 to 5.11.3 and potentially allowed an attacker to gain access and take over an Apple computer through Zoom’s package installer.


The exploit lies in the auto-update client in Zoom connects to a privileged daemon, or background service. It has a two-step process,

  • Threat actor bypasses the verification checker within Zoom, tricking the update manager into forcing Zoom to downgrade to an earlier, more easily exploitable version of Zoom or even force it to download an entirely different package.
  • By taking advantage of the first stage, the more vulnerable version of Zoom, or a different package, would allow the attacker to gain root access to the victim’s Mac.

Zoom was informed of the vulnerability seven months before Wardle went public with the details and had ample opportunity to patch it properly, but it failed to do so.

According to researcher Wardle, just before DEF CON, Zoom said it had fixed the vulnerability. However, “after he applied the patch, he noticed that there was still a gaping hole in the update process.” The subsequent fix to the flawed fix then followed after Wardle’s presentation at DEF CON.


Wardle is well-known in the security community and at all stages did the right thing in not only informing Zoom but also attempting to assist it in fixing the issue. That it took Zoom seven months to address a known vulnerability and then to release a flawed update does not reflect well on it.

It’s recommended to update to the version 5.11.5 as soon as possible.

Leave a Reply

%d bloggers like this: