CVE-2022-28760 is an improper access control vulnerability (CWE-284) found in Zoom Video Communications Inc's Zoom On-Premise Meeting Connector MMR component, affecting versions prior to 4.8.20220815.130. This vulnerability allows a malicious actor with some level of privileges (as indicated by the CVSS vector requiring low privileges but no user interaction) to bypass access controls and obtain unauthorized access to the audio and video feeds of meetings they are not authorized to join. The flaw does not require user interaction and can be exploited remotely over the network (AV:N), making it a network-exploitable vulnerability. The attacker does not need to disrupt the meeting to gain access, and while integrity and availability are not impacted, confidentiality is severely compromised as sensitive audio and video streams can be intercepted. The vulnerability is rated medium severity with a CVSS score of 6.5, reflecting the high confidentiality impact but limited integrity and availability impact. No known exploits in the wild have been reported to date. The vulnerability affects on-premise deployments of Zoom Meeting Connector MMR, which is typically used by organizations that require internal hosting of Zoom meeting infrastructure for compliance, data sovereignty, or security reasons. This vulnerability could allow unauthorized surveillance and eavesdropping on confidential meetings, potentially exposing sensitive corporate or governmental information.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive communications conducted over Zoom's on-premise meeting infrastructure. Many enterprises, government agencies, and regulated industries in Europe deploy on-premise solutions to comply with strict data protection regulations such as GDPR, which mandates stringent controls over personal and sensitive data. Unauthorized access to meeting audio and video streams could lead to data breaches involving personal data, intellectual property, or classified information. This could result in regulatory penalties, reputational damage, and loss of trust. The impact is particularly critical for sectors such as finance, healthcare, legal, and government, where confidential meetings are routine. Additionally, the ability to eavesdrop without disrupting meetings means attackers can remain undetected for extended periods, increasing the risk of prolonged data exposure. Since the vulnerability requires low privileges but no user interaction, insider threats or compromised accounts with minimal access could exploit this flaw, further increasing the risk profile for European organizations.

European organizations using Zoom On-Premise Meeting Connector MMR should prioritize upgrading to version 4.8.20220815.130 or later, where this vulnerability is patched. If immediate upgrading is not feasible, organizations should implement strict network segmentation and access controls to limit who can reach the Meeting Connector MMR servers, ideally restricting access to trusted internal networks and VPNs only. Monitoring and logging access to the Meeting Connector should be enhanced to detect unusual or unauthorized access attempts. Additionally, organizations should enforce strong authentication and least privilege principles for accounts with access to the Meeting Connector infrastructure to reduce the risk of privilege escalation or misuse. Conducting regular security audits and penetration tests focusing on the Meeting Connector environment can help identify any residual weaknesses. Finally, organizations should educate users and administrators about this vulnerability and the importance of timely patching and access control hygiene.