In a joint security push, Zoom and Xerox disclosed patches for high-severity flaws in Zoom Clients for Windows and Xerox FreeFlow Core, flaws that could enable privilege escalation and remote code execution. The Windows vulnerability, tracked as CVE-2025-49457, carries a CVSS score of 9.6 and centers on an untrusted search path that could allow an unauthenticated attacker to escalate privileges via network access, Zoom said in a security bulletin.
Zoom’s advisory notes that the untrusted search path issue could be exploited remotely, and lists the affected products as including Zoom Workplace for Windows before version 6.3.10, Zoom Workplace VDI for Windows before 6.3.10 (excluding 6.1.16 and 6.2.12), Zoom Rooms for Windows before 6.3.10, Zoom Rooms Controller for Windows before 6.3.10, and the Zoom Meeting SDK for Windows before 6.3.10.
The Zoom bulletin quotes the vulnerability description: Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access.
The company said the issue was reported by its Offensive Security team, and the affected products are shown in the list above.
Separately, Xerox disclosed multiple vulnerabilities in FreeFlow Core, with patches addressed in version 8.0.4. The two most severe flaws are CVE-2025-8355, an XML External Entity (XXE) injection vulnerability leading to server-side request forgery (SSRF) with a CVSS of 7.5, and CVE-2025-8356, a path traversal vulnerability leading to remote code execution with a CVSS of 9.8. Horizon3.ai described these vulnerabilities as rudimentary to exploit, capable of enabling arbitrary commands, data theft, or lateral movement within enterprise networks.
The Xerox disclosures were published in its security bulletin for FreeFlow Core 8.0.5 (and related versions). For more details, see the Xerox Security Bulletin: Xerox Security Bulletin 025-013 for FreeFlow Core 8.0.5.
Security researchers from the disclosed advisories emphasized the potential impact on enterprise environments, including the possibility of remote command execution, data exposure, and lateral movement if exploited. Zoom’s advisory and Xerox’s bulletin were issued as part of ongoing efforts to address critical software vulnerabilities across widely used collaboration and document-workflow platforms.