CVE-2025-67460 is a vulnerability classified under CWE-693 (Protection Mechanism Failure) affecting Zoom Rooms software on Windows platforms before version 6.6.0. The issue stems from a flawed software downgrade protection mechanism, which allows an unauthenticated attacker with local access and limited privileges to perform a software downgrade attack. By exploiting this, the attacker can escalate their privileges on the affected system, potentially gaining administrative rights. The vulnerability impacts confidentiality, integrity, and availability, as an attacker with escalated privileges can access sensitive information, modify or delete data, and disrupt system operations. The attack vector requires local access but does not require user interaction or prior authentication beyond limited privileges. Although no known exploits have been reported in the wild, the vulnerability's nature and CVSS score of 7.8 indicate a significant risk. Zoom Rooms is widely used in enterprise and public sector environments for video conferencing and collaboration, making this vulnerability particularly concerning for organizations relying on these systems for critical communications. The lack of a patch link suggests that remediation involves upgrading to Zoom Rooms version 6.6.0 or later, where the protection mechanism failure has been addressed.

For European organizations, the impact of CVE-2025-67460 can be substantial. Organizations using Zoom Rooms on Windows systems may face unauthorized privilege escalation, leading to potential full system compromise. This can result in exposure of sensitive communications, unauthorized data access, and disruption of critical collaboration services. The vulnerability could be exploited by malicious insiders or attackers who gain local access through other means, such as compromised endpoints or physical access. This risk is heightened in environments with shared or poorly controlled local access, such as conference rooms or public kiosks. The confidentiality of sensitive meeting content and integrity of system configurations are at risk, potentially affecting compliance with data protection regulations like GDPR. Availability of Zoom Rooms services could also be impacted, disrupting business operations and remote collaboration. The absence of known exploits currently provides a window for proactive mitigation, but the high CVSS score underscores the urgency of addressing the vulnerability.

To mitigate CVE-2025-67460, European organizations should prioritize upgrading Zoom Rooms to version 6.6.0 or later, where the software downgrade protection mechanism failure has been fixed. Until the upgrade is applied, organizations should restrict local access to systems running vulnerable Zoom Rooms versions by enforcing strict physical and logical access controls. Implement endpoint security measures such as application whitelisting and privilege management to prevent unauthorized software modifications or downgrades. Conduct regular audits of Zoom Rooms installations to identify and remediate outdated versions. Educate IT and security staff about the risks of local privilege escalation and the importance of securing conference room endpoints. Additionally, monitor systems for unusual privilege escalation attempts or unauthorized software changes. Where possible, isolate Zoom Rooms systems from general user environments to limit exposure. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential exploitation.