Urgent Security Patches: Zoom and Xerox Address Critical Flaws
Zoom has patched a critical vulnerability in its Windows clients, while Xerox has issued fixes for severe flaws in its FreeFlow Core system. Both issues posed significant threats—ranging from privilege escalation to remote code execution—placing corporate networks and sensitive data at risk.
In Zoom’s case, the flaw is tracked as CVE-2025-49457 with a CVSS score of 9.6. The issue stemmed from an unreliable search path, allowing an unauthenticated remote attacker to escalate privileges within the system. It was uncovered by the company’s own Offensive Security team. Affected products included Zoom Workplace, Zoom Workplace VDI, Zoom Rooms, Zoom Rooms Controller, and the Zoom Meeting SDK for Windows—in all versions prior to 6.3.10, with the exception of select VDI builds (6.1.16 and 6.2.12).
Meanwhile, Xerox addressed two vulnerabilities in FreeFlow Core, resolved in version 8.0.4.
- The first, CVE-2025-8355 (CVSS 7.5), was an XXE injection capable of leading to Server-Side Request Forgery (SSRF). It originated from the
jmfclient.jarmodule, which processes JMF (Job Message Format) instructions for managing print jobs and their statuses. The module’s XML parser lacked restrictions on external entity handling, enabling specially crafted requests to trigger SSRF attacks. - The second, CVE-2025-8356 (CVSS 9.8), involved improper handling of JMF commands used for file loading and processing. This flaw allowed directory traversal and the upload of a web shell into a public directory through a crafted HTTP request. Although the service on port 4004 could not directly serve files, the main web portals of the product contained functionality that could execute and distribute the malicious payload.
According to Horizon3.ai, both vulnerabilities were trivial to exploit, enabling data theft, arbitrary command execution, and lateral movement within networks—making them powerful tools for attackers seeking to expand their foothold.
