CVE-2025-30662

Nov. 14, 2025, 4:42 p.m.

6.6
Medium

Description

Symlink following in the installer for the Zoom Workplace VDI Plugin macOS Universal installer before version 6.3.14, 6.4.14, and 6.5.10 in their respective tracks may allow an authenticated user to conduct a disclosure of information via network access.

Product(s) Impacted

Product Versions
workplace_vdi_plugin
  • <6.3.14
workplace_vdi_plugin
  • <6.4.14
workplace_vdi_plugin
  • <6.5.10

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-646
Reliance on File Name or Extension of Externally-Supplied File
The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.

References

https://www.zoom.com/en/trust/security-bulletin/zsb-25045

Tags

security@zoom.us
CWE-646
2025-11-13
CVE-2025-30662

CVSS Score

6.6 / 10

CVSS Data - 3.1

  • Attack Vector: LOCAL
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

    View Vector String

Timeline

Published: Nov. 13, 2025, 3:15 p.m.
Last Modified: Nov. 14, 2025, 4:42 p.m.

Status : Undergoing Analysis

CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.

More info

Source

security@zoom.us

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.