Zoom patches a flaw that could hand strangers full control of your account
A critical bug in Zoom's Windows software let attackers take over accounts without a password, a click, or any help from the victim. Zoom found it first and patched it. Here is what you need to know.

Key points
- Zoom disclosed and patched a critical account-takeover vulnerability affecting its Windows software on Tuesday and Wednesday of this week.
- The flaw, tracked as CVE-2025-30663 (the official identifier assigned to the bug), carried a CVSS score, a severity rating from 0 to 10, that security analysts describe as near-maximum.
- Affected products include Zoom Desktop Client for Windows before version 7.0.0 and Zoom VDI Client for Windows before version 7.0.10.
- Zoom says no real-world attacks using this flaw have been reported as of Thursday.
- Zoom has more than 300 million daily active users and 470,000 paying business customers.
Zoom quietly fixed one of the nastiest kinds of security flaws a software company can face: a bug that lets a complete stranger take over your account with no password, no phishing email to trick you, and no action on your part whatsoever.
The company published four security bulletins on Tuesday, then released the actual fixes on Wednesday. The worst of the four is an account-takeover flaw in Zoom's Windows desktop software. An attacker sitting anywhere on the internet could exploit it remotely, with low technical skill, and walk away owning your Zoom account.
How bad is this, really?
Pretty bad. Frank Dickson, group vice president for security at the research firm IDC, put it plainly: "This bug is about as bad as it gets, short of a worm." A worm is malicious software that spreads itself automatically from machine to machine. This flaw stops just short of that, but not by much.
Brian Levine, executive director of FormerGov, a security consultancy, pointed out what account access actually means in practice. An attacker could listen to recordings of past meetings, eavesdrop on future ones, and impersonate your organisation to trick your clients or partners. For anyone who uses Zoom for legal consultations, medical appointments, or business negotiations, that is a serious exposure.
Giuseppe Trotta, principal security researcher at Malwarebytes, suspects the vulnerability involves "deep links", the special web addresses that open desktop apps directly from a browser (you may have seen URLs starting with "zoommtg://"). If Zoom's app fails to check those addresses properly, a crafted malicious link could silently hand over your session token, a digital key that proves you are logged in, to an attacker's server. No password required. No warning displayed.
The three remaining flaws all involve privilege escalation, meaning software tricks that let an attacker who is already inside a system gain more control than they should have. They affect Zoom Workplace for Windows before version 7.0.5, Zoom Rooms for Windows before version 7.0.5, and several VDI (virtual desktop infrastructure) components.
If you are on Windows and use Zoom, update now. Open Zoom, click your profile picture, choose "Check for Updates", and install whatever appears.
The clearest piece of good news here is that Zoom found the flaw itself through internal code review, and no exploitation in the wild has been reported. Mike Wilkes, enterprise chief information security officer at Aikido Security, still wants to know how a flaw this severe passed design reviews and pre-release testing in the first place. That question does not have a public answer yet.
Original reporting on this story first appeared at CSO Online.



