Zoom Connector: Resolved Security Issue
The Zoom Connectors for Cisco, Poly, and Lifesize are optional components of our Conference Room Connector product. The Connectors are so named because they connect Zoom’s cloud platform to hardware conference room systems for enterprise management and a one-touch experience.
Recently, Zoom was notified of a security vulnerability for the Zoom Connector. When a Zoom administrator uses the Connector to manage a Cisco, Poly, or Lifesize SIP or H.323 device, a complex and unique URL is generated for that login. If a bad actor were to somehow obtain that URL, for example through an exploit of the administrator’s browser, they could access the device administration functions without logging in. The URL would continue to be accessible even after the administrator had logged out or changed their password on the Zoom web portal.
On November 19, we released a patch on Zoom’s backend that resolved this security issue. Customers were not required to update their software. The same week, we alerted customers with Zoom Connectors that they should check their device logs in the Room Management section of their Administrator portal for unusual activity or unauthorized access. Consistent with responsible disclosure norms, Zoom notified Connector customers to the security issue once it was resolved so that potential bad actors would not exploit the vulnerability.
The privacy and security of Zoom’s users is our top priority. We were glad we could resolve this matter to ensure the continued security of our platform. Please see our support article and contact support.zoom.us with questions.