CERT-In Highlights Zoom Security Flaws That Could Let Hackers Access Meeting, Sensitive Information

The Indian Computer Emergency Response Team (CERT-In) has published a vulnerability note alerting Zoom users that multiple security flaws have been detected on certain versions of the video conferencing platform. The vulnerability exists across operating systems like Windows, macOS, iOS, and Android. By exploiting the flaw, hackers can gain unauthorised access to Zoom Rooms, remotely execute malicious commands, exit meetings, reveal information not meant to be shared, and access configuration data. The issue has since been resolved in a recently rolled out update, and users are urged to update to the latest version.

Multiple Security Flaws Spotted in Certain Versions of Zoom

In its latest vulnerability note CIVN-2025-0261, CERT-In warns Zoom users about multiple vulnerabilities with a "medium" severity rating. The security flaws were found in the Zoom for Windows, macOS, Android, and iOS versions 6.5.1. The vulnerabilities can be exploited by threat actors, allowing them to gain unauthorised access to meetings and configuration data. Moreover, the same can be misused by bad actors to disclose sensitive information and execute arbitrary commands, like running scripts.

CERT-In highlighted that the vulnerability affects both individuals and organisations using the video conferencing software, compromising the security of the ongoing and future meetings.

However, the company has already patched the vulnerabilities in an update rolled out on October 14. CERT-In advises people using the above-mentioned versions of the app to update to the latest available version of Zoom on their device. This will help them protect themselves against cyberattacks, which compromise their personal data and sensitive organisational information like trade secrets.

Zoom said that the authentication bypass issue allowed unauthenticated users to disclose information via network access. On the other hand, the command injection flaw in Zoom Clients for Windows allowed authenticated users to disclose information after gaining network access.

The security vulnerabilities seem to exist due to improper input sanitisation and inadequate session validation, CERT-In said. This means that these particular Zoom versions do not validate the user ID of the person joining Zoom Rooms. Moreover, the video conferencing platform has been unable to adequately filter and transform the input data provided by users before it is fed into the system.