A high-severity security vulnerability has been discovered in Zoom Workplace's VDI Client for Windows that could allow authenticated local users to escalate their privileges to administrator-level access on affected systems. The flaw, tracked as CVE-2025-64740 and assigned bulletin ZSB-25042, stems from improper verification of cryptographic signatures in the installer mechanism and carries a CVSS score of 7.5, indicating significant enterprise security risk.
The vulnerability originates in the Zoom Workplace VDI Client installer's failure to properly verify cryptographic signatures of installation files before execution. This cryptographic signature verification weakness represents a fundamental security control failure, as digital signatures provide assurance that software packages originate from legitimate sources and haven't been tampered with during transmission or storage.
When signature verification is improperly implemented, attackers can manipulate the installation process, potentially injecting malicious code or modifying legitimate components. An authenticated attacker with local system access could exploit this oversight to escalate privileges from a standard user account to full administrator-level access, bypassing security controls and gaining complete system control.
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H indicates that the vulnerability requires local attack vector, relatively high complexity, low privileges, and user interaction. However, once successfully exploited, the impact is severe, affecting confidentiality, integrity, and availability of compromised systems.
The vulnerability impacts Zoom Workplace VDI Client for Windows versions before:
Version 6.3.14 (6.3.x track)
Version 6.4.12 (6.4.x track)
Version 6.5.10 (6.5.x track)
Any installation running earlier versions within these respective tracks remains vulnerable. Virtual Desktop Infrastructure (VDI) environments represent particularly critical deployment contexts, as organizations rely on VDI for secure remote work, sensitive data access, and isolated computing environments. A privilege escalation vulnerability in VDI client software directly threatens the security model organizations deploy to protect sensitive operations.
Mandiant, the Google-owned threat intelligence firm, discovered and disclosed this vulnerability to Zoom, highlighting the importance of specialized security research in identifying sophisticated implementation flaws within enterprise software.
Unlike remote vulnerabilities exploitable from the internet, CVE-2025-64740 requires an attacker to already possess authenticated local access to the target machine. This requirement creates a meaningful constraint on exploitation, as attackers must first compromise initial system access through separate vectors such as:
Social Engineering: Tricking users into opening malicious attachments or clicking phishing links
Stolen Credentials:Using compromised user accounts from other breaches or insider threats
Physical Access: Direct machine access in uncontrolled environments
Supply Chain Compromise: Pre-installed malware on new systems
Other Vulnerability Exploitation: Leveraging separate software flaws to gain initial access
However, once an attacker establishes initial access as a standard user, they can exploit CVE-2025-64740 during VDI client installation or updates to escalate to administrator privileges without additional user interaction, effectively moving from compromised user account to full system control.
The vulnerability represents a significant risk within enterprise VDI deployments because:
Privilege Escalation Chains: Compromised user accounts become pathways to complete system compromise, enabling malware installation, data exfiltration, and lateral movement across network infrastructure.
Virtual Environment Compromise: VDI environments often handle sensitive work including financial operations, healthcare records, government systems, and intellectual property. Compromising these environments threatens entire organizational operations.
Supply Chain Risk: Organizations managing large VDI deployments must ensure timely updates across hundreds or thousands of virtual instances, creating coordination and verification challenges.
Lateral Movement: Compromised VDI systems may provide attackers access to corporate networks, file servers, databases, and other sensitive infrastructure connected to virtual environments.
Zoom has released patched versions addressing this vulnerability:
Version 6.3.14 and later
Version 6.4.12 and later
Version 6.5.10 and later
Organizations using affected versions should treat patching as urgent priority. Zoom recommends immediate updates to the latest available versions. Users can verify their current version by accessing the Help menu within Zoom and identifying their version number. Organizations with enterprise deployments should:
Inventory Current Installations: Identify all VDI Client installations, their current versions, and which version tracks they follow.
Prioritize Critical Systems: Update systems handling sensitive operations first, followed by remaining installations.
Verify Patch Deployment: Confirm that all systems updated successfully to patched versions before considering the vulnerability remediated.
Monitor for Exploitation: Track logs for suspicious privilege escalation attempts or unauthorized administrative activity on VDI systems.
This vulnerability underscores broader security considerations for virtual desktop infrastructure deployments. VDI environments represent concentrated targets containing high-value systems and data. Security vulnerabilities in VDI client software directly threaten organizational security posture, as clients facilitate communication between user endpoints and virtual infrastructure.
Organizations deploying VDI must implement defense-in-depth strategies including:
Application Whitelisting: Restricting executable code execution to authorized applications, preventing malicious binary injection.
Code Integrity Verification: Implementing system-level controls ensuring cryptographic validation of all executable code.
Privileged Access Management: Restricting administrator account access and monitoring privilege elevation attempts.
Network Segmentation: Isolating VDI infrastructure from general corporate networks to limit breach blast radius.
Endpoint Detection and Response: Deploying EDR solutions capable of detecting anomalous process behavior and privilege escalation attempts.
The discovery and rapid patching of CVE-2025-64740 demonstrates both the importance of security research and the necessity for organizations to maintain current software versions in enterprise environments. Organizations running Zoom Workplace VDI Client should prioritize this update immediately to eliminate this attack vector and maintain their security posture in an increasingly sophisticated threat landscape.