CVE-2017-15049
published 2017-12-19CVE-2017-15049: The ZoomLauncher binary in the Zoom client for Linux before 2.0.115900.1201 does not properly sanitize user input when constructing a shell command, which…
PriorityP272high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
17.05%
96.7th percentile
The ZoomLauncher binary in the Zoom client for Linux before 2.0.115900.1201 does not properly sanitize user input when constructing a shell command, which allows remote attackers to execute arbitrary code by leveraging the zoommtg:// scheme handler.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zoom | zoom | < 2.0.115900.1201 | 2.0.115900.1201 |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Zoom Linux Client Command Injection (CVE-2017-15049)"; flow:established,to_client; file.data; content:"zoommtg|3a 2f 2f|"; pcre:"/^[^\x22\x27]*?[\x3b\x26\x60\x7c\x24]/R"; reference:url,packetstorm.news/files/id/145453; reference:cve,2017-15049; classtype:bad-unknown; sid:2066200; rev:1; metadata:affected_product Zoom, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_12_09, cve CVE_2017_15049, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, updated_at 2025_12_09; target:dest_ip;)
bytes
zoommtg|3a 2f 2f|
- →Monitor for shell metacharacters (;, &, `, |, $) immediately following a zoommtg:// URI, as the ZoomLauncher binary passes unsanitized user input directly into a shell command string.
- →The constructed shell command includes environment variable exports before invoking /opt/zoom/zoom; look for process executions of /opt/zoom/zoom with arguments containing $(...) or backtick subshell syntax. ↗
- →The exploit is triggerable via a web page using window.location redirect to a zoommtg:// URI; monitor browser-spawned processes that invoke ZoomLauncher with shell-special characters in arguments. ↗
- →The Snort/Suricata rule targets TLS-decrypted traffic (tls_state TLSDecrypt) flowing to_client; deploy on perimeter and internal sensors with SSL inspection enabled.
- ·The Snort/Suricata rule requires TLS decryption to be active; without SSL inspection the content match on zoommtg:// in encrypted traffic will not fire.
- ·The vulnerability affects Zoom client for Linux versions before 2.0.115900.1201; the confirmed vulnerable version is 2.0.106600.0904 (zoom_amd64.deb). Other versions may also be vulnerable. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT Zoom Linux Client Command Injection (CVE-2017-15049)
suricata·2025-12-09·CVSS 8.8
CVE-2017-15049 [HIGH] ET EXPLOIT Zoom Linux Client Command Injection (CVE-2017-15049)
ET EXPLOIT Zoom Linux Client Command Injection (CVE-2017-15049)
Rule: alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Zoom Linux Client Command Injection (CVE-2017-15049)"; flow:established,to_client; file.data; content:"zoommtg|3a 2f 2f|"; pcre:"/^[^\x22\x27]*?[\x3b\x26\x60\x7c\x24]/R"; reference:url,packetstorm.news/files/id/145453; reference:cve,2017-15049; classtype:bad-unknown; sid:2066200; rev:1; metadata:affected_product Zoom, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_12_09, cve CVE_2017_15049, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, updated_at 2025_12_09; target:dest_ip;)
No writeups or analysis indexed.
http://packetstormsecurity.com/files/145453/Zoom-Linux-Client-2.0.106600.0904-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2017/Dec/47https://github.com/convisoappsec/advisories/blob/master/2017/CONVISO-17-003.txthttps://www.exploit-db.com/exploits/43354/http://packetstormsecurity.com/files/145453/Zoom-Linux-Client-2.0.106600.0904-Command-Injection.htmlhttp://seclists.org/fulldisclosure/2017/Dec/47https://github.com/convisoappsec/advisories/blob/master/2017/CONVISO-17-003.txthttps://www.exploit-db.com/exploits/43354/
2017-12-19
Published