Cyber Posture

CVE-2025-0149

Medium

Published: 11 March 2025

Published
11 March 2025
Modified
19 August 2025
KEV Added
Patch
CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
EPSS Score 0.0003 9.0th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0149 is a medium-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Zoom Meeting Software Development Kit. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 9.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely flaw remediation, directly mitigating CVE-2025-0149 by applying patches for the insufficient data authenticity verification as specified in the Zoom security bulletin.

SI-7 Software, Firmware, and Information Integrity good match
preventdetect

SI-7 enforces integrity verification of information to detect unauthorized modifications or inauthentic data, preventing DoS exploitation due to insufficient authenticity checks.

SC-5 Denial-of-service Protection good match
preventdetect

SC-5 implements denial-of-service protections such as traffic validation and rate limiting, countering the network-based DoS by unprivileged users targeting unverified data authenticity.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Vulnerability enables remote, unauthenticated exploitation of Zoom apps via insufficient data authenticity verification to cause denial of service, directly mapping to application/system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Insufficient verification of data authenticity in some Zoom Workplace Apps may allow an unprivileged user to conduct a denial of service via network access.

Deeper analysisAI

CVE-2025-0149 involves insufficient verification of data authenticity, classified under CWE-345, affecting some Zoom Workplace Apps. Published on 2025-03-11T17:16:17.523, the vulnerability has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L), rated as Medium severity.

An unprivileged user with network access can exploit this vulnerability to conduct a denial of service. The attack requires low complexity, no privileges or user interaction, and results in low impacts to integrity and availability with an unchanged scope.

The Zoom security bulletin at https://www.zoom.com/en/trust/security-bulletin/zsb-25008/ provides details on advisories and patches for mitigation.

Details

CWE(s)
CWE-345

Affected Products

zoom
meeting software development kit
≤ 6.3.0 · ≤ 6.3.0 · ≤ 6.3.0
zoom
rooms
≤ 6.3.0 · ≤ 6.3.0 · ≤ 6.3.0
zoom
rooms controller
≤ 6.3.0 · ≤ 6.3.0 · ≤ 6.3.0
zoom
workplace
≤ 6.3.0 · ≤ 6.3.0
zoom
workplace desktop
≤ 6.3.0 · ≤ 6.3.0 · ≤ 6.3.0
zoom
workplace virtual desktop infrastructure
≤ 6.1.15 · 6.1.16 — 6.2.10

CVEs Like This One

CVE-2025-0151Same product: Zoom Meeting Software Development Kit
CVE-2025-27440Same product: Zoom Meeting Software Development Kit
CVE-2024-45424Same product: Zoom Meeting Software Development Kit
CVE-2025-27439Same product: Zoom Meeting Software Development Kit
CVE-2024-45421Same product: Zoom Meeting Software Development Kit
CVE-2025-49457Same product: Zoom Meeting Software Development Kit
CVE-2025-0150Same product: Zoom Meeting Software Development Kit
CVE-2025-0145Same product: Zoom Meeting Software Development Kit
CVE-2024-45418Same product: Zoom Meeting Software Development Kit
CVE-2025-62484Same product: Zoom Meeting Software Development Kit

References