The bugs were hiding in the corporate Zoom Rooms.
Let's take a quick look at each of the fixed vulnerabilities:
- CVE-2022-36930 (CVSS Score 8.2) - A non-admin local user could use this vulnerability in the Zoom Rooms for Windows installer to gain SYSTEM level privileges.
- CVE-2022-36929 (CVSS Score 7.8) – A non-admin local user could use this vulnerability in the Zoom Rooms Windows client to gain SYSTEM level privileges. The vulnerability affects all versions of the Rooms client for Windows up to version 5.12.7.
- CVE-2022-36926 (scored 8.8 on the CVSS scale) - This vulnerability, like all previous ones, allows a local user without administrator rights to elevate their privileges to the root level. It only affects Zoom Rooms clients for MacOS up to version 5.11.3.
In addition to the security holes listed above, Zoom has fixed two less serious vulnerabilities. The first ( CVE-2022-36925 ) affects all versions of MacOS clients up to version 5.11.4 and is related to an insecure key generation mechanism, and the second ( CVE-2022-36928 ) is a path traversal vulnerability for the Zoom app on Android.