CVE-2024-45424

Medium

Published: 25 February 2025

Published

25 February 2025

Modified

05 March 2025

KEV Added

—

Patch

—

CVSS Score 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Score 0.0033 56.1th percentile

Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45424 is a medium-severity an unspecified weakness vulnerability in Zoom Meeting Software Development Kit. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 43.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Directly restricts permitted actions without identification or authentication, preventing unauthenticated network access from exploiting the business logic error to disclose information.

SI-2 Flaw Remediation good match

prevent

Requires identification, reporting, and timely remediation of flaws such as this business logic error via patching per Zoom bulletin ZSB-24036.

SC-7 Boundary Protection partial match

prevent

Monitors and controls communications at external interfaces to limit unauthenticated network access that could exploit the vulnerability for information disclosure.

NVD Description

Business logic error in some Zoom Workplace Apps may allow an unauthenticated user to conduct a disclosure of information via network access.

Deeper analysisAI

CVE-2024-45424 is a business logic error, mapped to CWE-840, affecting some Zoom Workplace Apps. Published on 2025-02-25, the vulnerability enables an unauthenticated user to conduct a disclosure of information via network access. It carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating medium severity with low confidentiality impact and no impact on integrity or availability.

An unauthenticated attacker with network access to a vulnerable Zoom Workplace App can exploit this issue with low complexity and no requirement for user interaction or privileges. Exploitation leads to partial disclosure of sensitive information, as the scope remains unchanged.

Zoom has issued security bulletin ZSB-24036, available at https://www.zoom.com/en/trust/security-bulletin/zsb-24036/, which provides further details on the vulnerability. Security practitioners should consult this advisory for recommended mitigations and patching guidance.

Details

CWE(s): CWE-840 NVD-CWE-noinfo

Affected Products

zoom

meeting software development kit

≤ 6.1.0 · ≤ 6.1.0 · ≤ 6.1.0

zoom

rooms

≤ 6.1.0 · ≤ 6.1.0 · ≤ 6.1.0

zoom

rooms controller

≤ 6.1.0 · ≤ 6.1.0 · ≤ 6.1.0

zoom

workplace

≤ 6.1.0 · ≤ 6.1.0

zoom

workplace desktop

≤ 6.1.0 · ≤ 6.1.0 · ≤ 6.1.0

zoom

workplace virtual desktop infrastructure

≤ 6.1.10

CVEs Like This One

CVE-2025-27439Same product: Zoom Meeting Software Development Kit

CVE-2025-27440Same product: Zoom Meeting Software Development Kit

CVE-2025-0151Same product: Zoom Meeting Software Development Kit

CVE-2025-0149Same product: Zoom Meeting Software Development Kit

CVE-2024-45421Same product: Zoom Meeting Software Development Kit

CVE-2025-49457Same product: Zoom Meeting Software Development Kit

CVE-2025-0145Same product: Zoom Meeting Software Development Kit

CVE-2024-45418Same product: Zoom Meeting Software Development Kit

CVE-2025-0150Same product: Zoom Meeting Software Development Kit

CVE-2025-62484Same product: Zoom Meeting Software Development Kit

References

https://www.zoom.com/en/trust/security-bulletin/zsb-24036/
Vendor Advisory · security@zoom.us