Skip to main content

CVE-2022-36924: CWE-427: Uncontrolled Search Path Element in Zoom Video Communications Inc Zoom Rooms Installer for Windows

High
VulnerabilityCVE-2022-36924cvecve-2022-36924cwe-427
Published: Thu Nov 17 2022 (11/17/2022, 22:37:00 UTC)
Source: CVE
Vendor/Project: Zoom Video Communications Inc
Product: Zoom Rooms Installer for Windows

Description

The Zoom Rooms Installer for Windows prior to 5.12.6 contains a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability during the install process to escalate their privileges to the SYSTEM user.

AI-Powered Analysis

AILast updated: 06/24/2025, 19:21:14 UTC

Technical Analysis

CVE-2022-36924 is a high-severity local privilege escalation vulnerability found in the Zoom Rooms Installer for Windows prior to version 5.12.6. The vulnerability is classified under CWE-427, which refers to an uncontrolled search path element. Specifically, during the installation process, a low-privileged local user can exploit the way the installer handles search paths to escalate their privileges to SYSTEM level. This occurs because the installer may load DLLs or other executable components from directories that are writable or controllable by non-privileged users, allowing them to inject malicious code that runs with elevated privileges. The vulnerability has a CVSS v3.1 base score of 8.8, reflecting its high impact on confidentiality, integrity, and availability, with an attack vector of local access, low attack complexity, low privileges required, no user interaction needed, and scope change indicating that the vulnerability affects components beyond the initially vulnerable component. Although no known exploits have been reported in the wild, the potential for privilege escalation makes this a critical risk in environments where Zoom Rooms is deployed. The vulnerability affects Windows systems running the Zoom Rooms Installer before version 5.12.6, but the exact affected versions are unspecified. The issue was publicly disclosed on November 17, 2022, and has been enriched by CISA, indicating recognition by US cybersecurity authorities. The root cause lies in improper handling of search paths during installation, allowing malicious DLL hijacking or similar techniques to elevate privileges from a local user to SYSTEM, which could lead to full system compromise.

Potential Impact

For European organizations, this vulnerability poses a significant risk particularly in environments where Zoom Rooms is used for conference and collaboration solutions. Successful exploitation allows a local attacker—such as an insider, contractor, or compromised user account—to gain SYSTEM-level privileges, effectively full control over the affected Windows machine. This can lead to unauthorized access to sensitive corporate data, installation of persistent malware, disruption of services, or lateral movement within the network. Given the widespread adoption of Zoom Rooms in corporate, educational, and governmental sectors across Europe, the vulnerability could be leveraged to undermine confidentiality, integrity, and availability of critical communication infrastructure. The impact is especially critical in organizations with shared or multi-user systems where low-privileged users have physical or remote local access. Furthermore, the vulnerability could be used as a stepping stone for more complex attacks targeting European entities, including espionage or sabotage. Although no public exploits are known, the ease of exploitation (low complexity, no user interaction) and the high privileges gained make this a serious threat that should be addressed promptly.

Mitigation Recommendations

Upgrade Zoom Rooms Installer for Windows to version 5.12.6 or later, where this vulnerability is patched. Restrict local user permissions to prevent unauthorized installation or modification of Zoom Rooms software. Implement application whitelisting and code integrity policies to prevent loading of unauthorized DLLs during installation. Use Windows Group Policy to restrict write permissions on directories included in the system PATH environment variable to trusted administrators only. Monitor installation processes and audit logs for unusual activity related to Zoom Rooms installation or privilege escalation attempts. Isolate systems running Zoom Rooms installers from untrusted users and networks to reduce local attack surface. Educate IT staff and users about the risks of privilege escalation vulnerabilities and the importance of applying security updates promptly.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Zoom
Date Reserved
2022-07-27T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d983dc4522896dcbef779

Added to database: 5/21/2025, 9:09:17 AM

Last enriched: 6/24/2025, 7:21:14 PM

Last updated: 8/15/2025, 9:00:04 AM

Views: 11

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats