CVE-2024-45424
Published: 25 February 2025
Summary
CVE-2024-45424 is a medium-severity an unspecified weakness vulnerability in Zoom Meeting Software Development Kit. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-45424 is a business logic error, mapped to CWE-840, affecting some Zoom Workplace Apps. Published on 2025-02-25, the vulnerability enables an unauthenticated user to conduct a disclosure of information via network access. It carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact and no impact on integrity or availability.
An unauthenticated attacker with network access to a vulnerable Zoom Workplace App can exploit this issue with low complexity and no requirement for user interaction or privileges. Exploitation leads to partial disclosure of sensitive information, as the scope remains unchanged.
Zoom has issued security bulletin ZSB-24036, available at https://www.zoom.com/en/trust/security-bulletin/zsb-24036/, which provides further details on the vulnerability. Security practitioners should consult this advisory for recommended mitigations and patching guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53930
Vulnerability details
Business logic error in some Zoom Workplace Apps may allow an unauthenticated user to conduct a disclosure of information via network access.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network-accessible information disclosure vulnerability directly enables exploitation of a public-facing application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly restricts permitted actions without identification or authentication, preventing unauthenticated network access from exploiting the business logic error to disclose information.
Requires identification, reporting, and timely remediation of flaws such as this business logic error via patching per Zoom bulletin ZSB-24036.
Monitors and controls communications at external interfaces to limit unauthenticated network access that could exploit the vulnerability for information disclosure.