Critical Zoom for Windows vulnerability allows hackers to hijack accounts without a password
Hackers on the internet can tamper with Zoom traffic and hijack accounts with no password or user interaction.

- A critical 9.8/10 severity vulnerability in Zoom for Windows allows unauthenticated remote account takeover.
- No user interaction or password is required for an attack to occur.
- The flaw impacts Zoom Desktop Client, Virtualized clients, and the Meeting SDK, and users are urged to update.
Zoom has issued an urgent update alert warning that hackers can take over accounts simply via network access without a password or any user interaction – Windows users must update now. The critical vulnerability affects desktop and virtualized clients, as well as the SDK for embedding the functionality in other apps.
Zoom vulnerability is about as bad as it gets, rated 9.8 out of 10 on the severity score. The app doesn't properly validate user input, which attackers can exploit to hijack accounts.
The bug “may allow an unauthenticated user to conduct an account takeover via network access,” the company said.
Zoom issued urgent updates for the Zoom Desktop Client for Windows and Zoom VDI (Zoom Virtual Desktop Infrastructure) for Windows, and said it removed Meeting SDK for Windows as an affected product.
“Users can help keep themselves secure by applying the latest updates,” the company explains.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
The attack complexity is low, meaning hackers wouldn’t need any special conditions to carry it out. No privileges or user interaction are needed, meaning the attack can happen without any user involvement.
Potential attacks can be devastating, as attackers with stolen accounts can access private sensitive data in full, including meetings, chat, recordings, account information, or attempt to impersonate the user.
The security advisory doesn’t provide any details about the vulnerability or whether it’s been exploited in the wild. It was reported by the company’s own Zoom Offensive Security team. However, given the critical severity score, the exploitation is likely imminent.
Normally, attackers can’t simply access the software running on local machines over the network, because users are protected by their firewalls (routers) from any inbound connections. However, the Zoom app constantly initiates outbound connections to its servers and to meeting participants, and attackers might insert themselves along the path.
The flaw lies in how the app processes the data it receives, allowing specially crafted network packets to trigger abnormal behavior.
The bug doesn’t affect Mac, Linux, iOS, or Android clients.
The updates also fix 3 other Zoom for Windows high-severity vulnerabilities: a race condition in the desktop client, an improper privilege management flaw in Zoom Rooms, and another improper input validation flaw in the Workplace VDI plugin for Windows.