CVE-2022-28768 is a high-severity local privilege escalation vulnerability affecting the Zoom Client for Meetings Installer on macOS, including both the Standard and IT Admin versions prior to 5.12.6. The vulnerability arises from a permission race condition during the resource copy phase of the installation process. Specifically, a low-privileged local user can exploit this race condition to gain root-level privileges on the affected system. The underlying weakness is classified under CWE-689, which refers to the improper handling of race conditions during resource copying. This flaw allows an attacker to manipulate the timing of file operations during installation, potentially replacing or modifying files with malicious content that the installer then executes with elevated privileges. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with an attack vector limited to local access (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), and no user interaction (UI:N). The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially compromised component. Although no known exploits are reported in the wild, the vulnerability presents a significant risk, especially in environments where multiple users have local access to macOS systems running vulnerable Zoom installers. Since Zoom is widely used for remote collaboration, especially in corporate and educational settings, the presence of this vulnerability could allow malicious insiders or compromised local accounts to escalate privileges and gain full control over affected machines.

For European organizations, the impact of CVE-2022-28768 can be substantial. Many enterprises, educational institutions, and government agencies across Europe rely heavily on Zoom for communication and collaboration, particularly on macOS endpoints. Exploitation of this vulnerability could lead to unauthorized root access, enabling attackers to install persistent malware, exfiltrate sensitive data, or disrupt system availability. This is especially critical in sectors handling sensitive personal data under GDPR, where unauthorized access could result in regulatory penalties and reputational damage. Additionally, organizations with shared or multi-user macOS environments, such as universities or public sector offices, are at higher risk since low-privileged users could leverage this flaw to escalate privileges. The vulnerability also poses risks to IT administrators who deploy Zoom via the IT Admin installer, as compromised endpoints could undermine broader network security. Given the high CVSS score and the potential for full system compromise without user interaction, the threat could facilitate lateral movement and further attacks within corporate networks.

To mitigate this vulnerability effectively, European organizations should: 1) Immediately update all Zoom Client for Meetings installations on macOS to version 5.12.6 or later, where the vulnerability is patched. 2) Implement strict local user account management policies to minimize the number of users with local access on macOS systems, especially those used for sensitive operations. 3) Employ macOS security features such as System Integrity Protection (SIP) and Full Disk Encryption (FileVault) to limit the impact of privilege escalation. 4) Monitor installation processes and system logs for unusual file operations or privilege escalations during Zoom installation or updates. 5) Restrict the ability to install or update software to trusted administrators only, using Mobile Device Management (MDM) solutions to enforce application whitelisting and controlled software deployment. 6) Conduct regular security awareness training for IT staff and end users about the risks of privilege escalation vulnerabilities and the importance of timely patching. 7) For organizations using the IT Admin installer, validate installation scripts and deployment mechanisms to ensure they do not inadvertently expose race conditions or insecure file permissions.