New Zoom and Xerox security updates address privilege escalation and remote code execution (RCE)

Zoom and Xerox have recently addressed significant security vulnerabilities in their respective software products, which could potentially lead to privilege escalation and remote code execution. The vulnerability affecting Zoom Clients for Windows, identified as CVE-2025-49457 with a CVSS score of 9.6, involves an untrusted search path that may allow unauthenticated users to escalate privileges via network access. This issue, reported by Zoom’s Offensive Security team, impacts several products, including Zoom Workplace for Windows and Zoom Rooms for Windows, all prior to version 6.3.10. Users are urged to update their software to mitigate these risks.

In parallel, Xerox has disclosed multiple vulnerabilities in its FreeFlow Core software, with the most critical issues addressed in version 8.0.4. Among these vulnerabilities are CVE-2025-8355, an XML External Entity (XXE) injection vulnerability with a CVSS score of 7.5, and CVE-2025-8356, a path traversal vulnerability rated at 9.8. These vulnerabilities are relatively easy to exploit and could enable attackers to execute arbitrary commands, steal sensitive data, or move laterally within corporate environments. Horizon3.ai has highlighted the potential severity of these issues, emphasising the importance of timely updates to safeguard against such threats.