· Cybersecurity  · 2 min read

Zoom & Xerox Patch Critical RCE & Privilege Flaws

Zoom and Xerox have rolled out critical security updates to fix high-severity flaws in their products. A significant vulnerability in Zoom Clients for Windows could allow for privilege escalation, while multiple issues in Xerox FreeFlow Core could lead to remote code execution (RCE). Security teams have detailed the vulnerabilities, including CVE-2025-49457 for Zoom and CVE-2025-8356 for Xerox, urging users to update their systems immediately to prevent potential exploitation by attackers.

Zoom and Xerox have addressed critical security flaws in Zoom Clients for Windows and FreeFlow Core that could allow privilege escalation and remote code execution. Users are advised to apply the latest patches immediately to protect their systems from potential attacks.

Zoom Flaw Enables Privilege Escalation

A significant vulnerability in Zoom Clients for Windows, tracked as CVE-2025-49457 with a CVSS score of 9.6, has been patched. This flaw involves an untrusted search path that could allow an attacker to escalate privileges on a target system.

In a security bulletin released Tuesday, Zoom explained, “Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access.”

The issue, which was responsibly disclosed by Zoom’s own Offensive Security team, affects the following products:

  • Zoom Workplace for Windows before version 6.3.10
  • Zoom Workplace VDI for Windows before version 6.3.10 (except 6.1.16 and 6.2.12)
  • Zoom Rooms for Windows before version 6.3.10
  • Zoom Rooms Controller for Windows before version 6.3.10
  • Zoom Meeting SDK for Windows before version 6.3.10

Xerox FreeFlow Core Vulnerable to RCE

Separately, Xerox has disclosed multiple vulnerabilities in its FreeFlow Core software, with the most severe flaw potentially leading to remote code execution. These issues have been fixed in version 8.0.4.

The patched vulnerabilities include:

  • CVE-2025-8355 (CVSS score: 7.5): An XML External Entity (XXE) injection flaw that could lead to server-side request forgery (SSRF).
  • CVE-2025-8356 (CVSS score: 9.8): A path traversal vulnerability that could allow for remote code execution.

Cybersecurity researchers at Horizon3.ai noted the severity of these flaws, stating, “These vulnerabilities are rudimentary to exploit and if exploited, could allow an attacker to execute arbitrary commands on the affected system, steal sensitive data, or attempt to move laterally into a given corporate environment to further their attack.”

Given the critical nature of these vulnerabilities, users of the affected Zoom and Xerox products are strongly urged to apply the latest security updates as soon as possible to mitigate the risk of exploitation.

Share this post

Share Tweet Send Share Email
Newsletter Signup

News Feed

Get the Hottest Cybersecurity News Delivered to You!

Related News

Discover more news articles that might interest you

View All →
Win-DDoS Flaws Turn Domain Controllers into Botnets

Win-DDoS Flaws Turn Domain Controllers into Botnets

Linux Kernel 6.17 RC1 Released by Linus Torvalds

Linux Kernel 6.17 RC1 Released by Linus Torvalds

Debian 13 Trixie Released What You Need to Know

Debian 13 Trixie Released What You Need to Know

ClickFix Malware Uses Fake CAPTCHAs for Infections

ClickFix Malware Uses Fake CAPTCHAs for Infections

AI-Driven TikTok Scam Uses Fake Shops to Spread Malware

AI-Driven TikTok Scam Uses Fake Shops to Spread Malware

Hackers Plant Covert Malware in Major Telecom Networks

Hackers Plant Covert Malware in Major Telecom Networks