CVE-2025-67461 is a vulnerability classified under CWE-73 (External Control of File Name or Path) affecting Zoom Rooms for macOS versions before 6.6.0. This flaw allows an authenticated user with local access to manipulate file names or paths used by the application, potentially leading to unauthorized disclosure of sensitive information stored or processed by Zoom Rooms. The vulnerability requires user interaction and privileges equivalent to a standard authenticated user on the local machine, making remote exploitation infeasible. The attack complexity is low, as the attacker only needs to control file path inputs to trigger information disclosure. The vulnerability impacts confidentiality by exposing sensitive data but does not affect integrity or availability of the system. The CVSS v3.1 base score is 5.0, reflecting a medium severity level due to the limited scope and required conditions for exploitation. No patches or known exploits have been reported at the time of publication, but organizations should monitor for updates from Zoom. The vulnerability highlights the risks of improper file path validation and the importance of secure handling of user-controlled inputs within local applications.

For European organizations, this vulnerability poses a moderate risk primarily to confidentiality, as sensitive information handled by Zoom Rooms on macOS devices could be disclosed to unauthorized local users. This is particularly relevant in environments where multiple users share devices or where insider threats exist. The impact is limited by the need for local authenticated access and user interaction, reducing the likelihood of widespread exploitation. However, organizations relying heavily on Zoom Rooms for meetings, presentations, or collaboration in regulated sectors such as finance, healthcare, or government may face compliance and data privacy challenges if sensitive data is exposed. The vulnerability does not compromise system integrity or availability, so operational disruption is unlikely. Nevertheless, the potential leakage of confidential meeting content or credentials could lead to reputational damage and secondary attacks. European entities should assess their macOS device usage policies and local user privilege management to mitigate risks.

Organizations should implement strict local user access controls on macOS devices running Zoom Rooms, limiting authenticated user privileges to the minimum necessary. Until an official patch is released, avoid sharing devices among multiple users and restrict local user accounts to trusted personnel only. Monitor Zoom Rooms usage and audit local file system access to detect unusual file path manipulations. Employ endpoint security solutions that can detect anomalous behavior related to file operations. Educate users about the risks of interacting with untrusted files or inputs within Zoom Rooms. Once Zoom releases a patch for version 6.6.0 or later, prioritize timely updates to eliminate the vulnerability. Additionally, consider isolating Zoom Rooms environments or using virtualized macOS instances to reduce exposure. Regularly review and update security policies regarding local application usage and file system permissions to prevent similar vulnerabilities.