CVE-2023-28597
8.3
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
Zoom clients prior to 5.13.5 contain an improper trust boundary implementation vulnerability. If a victim saves a local recording to an SMB location and later opens it using a link from Zoom’s web portal, an attacker positioned on an adjacent network to the victim client could set up a malicious SMB server to respond to client requests, causing the client to execute attacker controlled executables. This could result in an attacker gaining access to a user's device and data, and remote code execution.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Zoom Video Communications Inc | Zoom (for Android, iOS, Linux, macOS, and Windows) | unspecified < 5.13.5 | affected |
| Zoom Video Communications Inc | Zoom Rooms (for Android, iOS, Linux, macOS, and Windows) | unspecified < 5.13.5 | affected |
| Zoom Video Communications Inc | Zoom VDI for Windows | unspecified < 5.13.10 | affected |
Weaknesses
- CWE-501: CWE-501: Trust Boundary Violation
ADP Enrichment
CVE Program Container
Additional References
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.