CVE-2025-58131 is a time-of-check to time-of-use (TOCTOU) race condition vulnerability identified in the Zoom Workplace VDI Plugin macOS Universal installer for VMware Horizon. This vulnerability affects versions prior to 6.4.10 (and earlier patch tracks 6.2.15 and 6.3.12). The flaw arises from a race condition during the installation process, where the state of a resource or file is checked and then used without proper synchronization, allowing an authenticated user to exploit the timing gap. Specifically, this can lead to unauthorized disclosure of sensitive information over the network. The vulnerability requires the attacker to have some level of authenticated access and involves user interaction, as indicated by the CVSS vector. The CVSS score of 6.6 (medium severity) reflects the moderate risk posed by this vulnerability, with high impact on confidentiality and integrity but no impact on availability. The vulnerability does not currently have known exploits in the wild, but the nature of TOCTOU issues makes it a candidate for exploitation in environments where the Zoom Workplace VDI Plugin is deployed on macOS systems within VMware Horizon virtual desktop infrastructure setups. The vulnerability is classified under CWE-367, highlighting the race condition aspect that can be leveraged to disclose information improperly.

For European organizations, this vulnerability poses a significant risk especially in sectors relying heavily on virtual desktop infrastructure (VDI) solutions for remote work and secure access, such as finance, government, healthcare, and critical infrastructure. The Zoom Workplace VDI Plugin is used to enhance Zoom's integration within VMware Horizon environments, which are prevalent in enterprise settings. Exploitation could lead to unauthorized disclosure of sensitive corporate or personal data, potentially violating GDPR requirements on data protection and privacy. The confidentiality breach could expose internal communications, credentials, or other sensitive information transmitted during the installation or update process. While the vulnerability requires authenticated access and user interaction, insider threats or compromised user accounts could be leveraged to exploit this flaw. The integrity impact could also undermine trust in the VDI environment, potentially leading to further security incidents. Given the widespread adoption of Zoom and VMware Horizon in Europe, this vulnerability could affect a broad range of organizations, increasing the risk of targeted attacks or lateral movement within networks.

Organizations should prioritize updating the Zoom Workplace VDI Plugin to version 6.4.10 or later, or the corresponding patched versions in other release tracks (6.2.15, 6.3.12). Since no official patch links are provided, monitoring Zoom’s official security advisories and VMware Horizon updates is critical. Until patches are applied, organizations should enforce strict access controls to limit authenticated user privileges, minimizing the risk of exploitation by insiders or compromised accounts. Network segmentation and monitoring of VDI-related network traffic can help detect anomalous activities indicative of exploitation attempts. Additionally, implementing multi-factor authentication (MFA) for access to VDI environments reduces the likelihood of unauthorized authenticated access. Security teams should also conduct regular audits of VDI plugin installations and configurations to ensure compliance with security best practices. Finally, educating users about the risks of interacting with untrusted installers or updates can reduce the chance of user-driven exploitation.