London Daily

Focus on the big picture.
Sunday, Jul 12, 2026

Zoom Lets Attackers Steal Windows Credentials, Run Programs via UNC Links

Zoom Lets Attackers Steal Windows Credentials, Run Programs via UNC Links

The Zoom Windows client is vulnerable to UNC path injection in the client's chat feature that could allow attackers to steal the Windows credentials of users who click on the link.

The zero-day Zoom flaws could give local, unprivileged attackers root privileges, and allow them to access victims’ microphone and camera.

Two zero-day flaws have been uncovered in Zoom’s macOS client version, according to researchers. The web conferencing platform vulnerabilities could give local, unprivileged attackers root privileges, and allow them to access victims’ microphone and camera.

The two flaws, uncovered by Patrick Wardle, principle security researcher with Jamf, emerge as Zoom comes under increased scrutiny over its security measures, particularly with more employees working from home over the past few weeks due to the coronavirus pandemic.

“Today, we uncovered two (local) security issues affecting Zoom’s macOS application,” said Wardle in a post this week. “Given Zoom’s privacy and security track record this should surprise absolutely zero people.”

The vulnerabilities come with the caveat that an attacker needs a local foothold on systems to exploit them – so bad actors would first need physical access to a victims’ computer. Another attack scenario could include a post-malware infection attack by a remote adversary with a preexisting foothold on the targeted system.

The first flaw stems from an issue with Zoom’s installer and allows unprivileged attackers to gain root privileges. The issue stems from the Zoom installer using the AuthorizationExecuteWithPrivileges application programming interface (API) function, which is used to install the Zoom MacOS app (leveraging preinstallation scripts) without any user interaction.

The API has actually been deprecated by Apple because the it does not attempt to validate a binary being executed at root. Because Zoom is using this API, it means “a local unprivileged attacker or piece of malware may be able to surreptitiously tamper or replace that item in order to escalate their privileges to root,” said Wardle.

To exploit Zoom, the local, non-privileged attacker could simply modify a binary to include the runwithroot script during an install. Because it would then not be validated they would ultimately gain root access.

The second zero day flaw gives attackers Zoom’s mic and camera access, allowing for a way to record Zoom meetings, or snoop in on victims’ personal lives – sans a user access prompt.

Zoom requires access to a system microphone and camera due to its nature of being a web conferencing platform. While recent versions of macOS require explicit user approval for these permissions, Zoom has an “exception” that allows code to be injected by third party libraries. Wardle said a malicious third party library could be loaded into Zoom’s process/address space – automatically inheriting all Zooms access rights, and ultimately giving attackers control over these camera and microphone permissions.

“Due to an ‘exception’ entitlement, we showed how to inject a malicious library into Zoom’s trusted process context,” Wardle said. “This affords malware the ability to record all Zoom meetings, or, simply spawn Zoom in the background to access the mic and webcam at arbitrary times.”

Wardle said, “the former [flaw] is problematic as many enterprises (now) utilize Zoom for (likely) sensitive business meetings, while the latter is problematic as it affords malware the opportunity to surreptitious access either the mic or the webcam, with no macOS alerts and/or prompts.”



Other Security Flaws

Zoom security issues are snowballing. The FBI on Tuesday warned of multiple reports of conferences being disrupted by pornographic or hate images and threatening language, in so-called “Zoom-bombing” attacks. These include a Massachusetts high school online classroom using Zoom, where an unidentified individual dialed in, yelled a profanity and then shouted the teacher’s home address in the middle of instruction, said the FBI’s report.

On Tuesday, security researchers uncovered a Universal Naming Convention (UNC) path injection vulnerability in the Zoom Windows client, which could enable attackers to steal Windows credentials of users. The flaw was first discovered by a Twitter user under the handle _g0dmode, and then verified by security researcher Matthew Hickey, with cybersecurity firm Hacker House.

In chat messages on its platform, Zoom automatically converts UNC paths into clickable links. A UNC path is a PC format for specifying the location of resources on a local-area network (LAN), which can be used to access network resources.

Once a victim in the chat clicks on the linked UNC path, Windows will attempt to connect to the link using an SMB file sharing protocol, according to a report by Bleeping Computer. By default, this transmits the victim’s login name and password. The password is hashed via NTLM, but can easily be sniffed out and cracked by attackers (using free tools like Hashcat).

A separate Zoom issue, reported Wednesday by Motherboard, shows that Zoom is leaking the email addresses and photos of thousands of users. This is due to an issue in Zoom’s “Company Directory,” where the platform automatically adds people to other’s lists of contacts if they use an email address sharing the same domain.

“By default, your Zoom contacts directory contains internal users in the same organization, who are either on the same account or who’s email address uses the same domain as yours (except for publicly used domains including gmail.com, yahoo.com, hotmail.com, etc) in the Company Directory section,” according to Zoom’s support page.
Newsletter

Related Articles

0:00
0:00
Close
Government Creates Emergency Support Scheme for Financially Struggling Universities
United Kingdom Replaces Traditional Farm Subsidies With Payments Linked to Environmental Performance
National Grid Reports First Week of Electricity Generation Without Fossil Fuels
United Kingdom Financial Regulator Introduces Tougher Capital Rules for Cryptocurrency Exchanges
Belfast Harbour Expands Operations to Attract Investment Through United Kingdom and European Union Market Access
Scottish Government Threatens Legal Challenge Over Westminster Cuts to North Sea Transition Funding
United Kingdom Accelerates Trans-Pennine High-Speed Rail Project Linking Northern Cities
United Kingdom Secures Ten Billion Pound Investment for Cambridge Quantum Computing Campus
Port Talbot Steelworks Wins Support for Green Hydrogen Transition and Protection of Industrial Jobs
United Kingdom Sends Royal Navy Carrier Strike Group to Indo-Pacific as Regional Security Focus Expands
National Health Service Expands Artificial Intelligence Diagnostics Across England to Reduce Screening Backlogs
United Kingdom Launches Fifty Billion Pound Infrastructure Fund to Accelerate Housing and Construction
UK Medical Chiefs Update Health Guidance to Promote Everyday Physical Activity
Office of Communications Keeps Wikipedia Under Review Under UK Online Safety Rules
UK Defence Ministry Expands Deep-Strike Capability Through Precision Missile Programme
Russell Group Universities Warn Funding Cuts Could Damage NHS Workforce Training
UK Parliament Calls for National Emergency Broadcast as Heatwave Conditions Intensify
UK and Netherlands Strengthen Naval Cooperation With New Amphibious Defence Partnership
UK Defence Ministry Joins International Missile Programme With One Hundred and Ninety Million Pound Investment
Bank of England Warns Middle East Conflict and AI Risks Could Pressure UK Economy
UK Government Introduces New Rules to Limit Foreign Influence in Political Donations
UK and France Prepare Naval Mission to Protect Shipping Through Strait of Hormuz
United States Pressures UK to Increase Defence Spending at NATO Summit
Bank of England Warns Artificial Intelligence Investment Boom Could Create Financial Stability Risks
Bank of England Begins Direct Oversight of Critical Technology Providers Supporting UK Finance
Andy Burnham Set to Become UK Prime Minister After Labour Leadership Race Clears Path to Downing Street
Scottish Fishing Industry Calls for Emergency Support Amid Rising Costs
UK Supports Stronger European Response to Russian Actions in Ukraine
Devon and Cornwall Police Release Suspect in Ann Widdecombe Murder Investigation
Scottish MPs Demand More Government Support for Fishing Industry
UK Aviation Sector Faces New Rules as Parliament Reviews Passenger Protection Reforms
King’s College London Disciplines Students Over Pro-Palestine Campus Protests
Ministry of Defence Expands Military Capabilities Through New Precision Strike Investment
United Kingdom Condemns Russian Treatment of Ukrainian Children at International Security Forum
House of Lords Reviews Civil Aviation Bill to Strengthen Passenger Rights and UK Aviation Competitiveness
UK Aerospace and Defence Industries Contribute Nearly Forty-Seven Billion Pounds to Economy
UK Government Advances Consultation on Possible Social Media Ban for Children Under Sixteen
United Kingdom Ratifies Global High Seas Treaty to Protect Marine Biodiversity
United Kingdom Joins United States Precision Strike Missile Programme With One Hundred Ninety Million Pound Investment
UK Senior NHS Doctors Vote for Further Strike Action Over Pay and Contract Disputes
BBC Leadership Resigns After Donald Trump Launches Ten Billion Dollar Defamation Lawsuit
UK Fiscal Watchdog Warns Andy Burnham Government Faces One Hundred Billion Pound Budget Challenge
The AI Invoice Shock: Layoffs Didn't Save Managers Money — They Cost Them More
Concern: Sexually Transmitted Bacterium Among Men Develops Antibiotic Resistance
Following Massive Investor Demand: SK Hynix Raises 26.5 Billion Dollars on Nasdaq
Passenger Partially Pulled Out of Ryanair Jet After Cabin Window Fails Mid-Flight
After Four Years, and Under a Heavy Veil of Secrecy: King Charles Meets His Grandchildren, Harry and Meghan's Children
Cross-Party MPs Call for National Climate Emergency Broadcast
Bayeux Tapestry Arrives in the United Kingdom for Landmark Exhibition
United Kingdom Launches Modern Slavery Prevention Programme in Vietnam
×