Threat Watch

Annual Pwn2Own Contest Reveals No User Interaction Zoom Remote Code Execution

Pwn2Own is an annual contest held by the Zero Day Initiative providing a contest for hackers and researchers around the world a chance to win substantial monetary reward for producing never before seen exploits for some of the most used software and hardware, with the goal of assisting software providers in the security of their products.

This year Zoom came under the microscope by Daan Keuper and Thijs Alkemade from Computest. They were able to exploit Zoom messenger with a three bug chained attack obtaining remote code execution not requiring user input. As of this writing it is known to work in the Windows and Mac client versions of zoom and has yet to be proven effective in iOS or Android apps. Zoom was contacted internally and are in the process of producing a patch to cover this vulnerability. A suggested work-around is to use the browser version of Zoom client on Windows or Mac.


At the time of writing this exploit is not public and the conditions needed to reproduced are held internally by the team the discovered and Zoom. As reported by Zoom itself, the browser version is free from this vulnerability and a patch is on it’s way. Users, companies, and Government entities with concern regarding sensitive information are recommended to forgo usage or limit usage to the web browser versions until a patch can be seen. Binary Defense Counter Intelligence team and Researchers on the Threat Hunt team are aware and monitoring for the possibility of a public proof of concept being released before Zoom has been patched.