cbcvebase.
CVE-2017-15049
published 2017-12-19

CVE-2017-15049: The ZoomLauncher binary in the Zoom client for Linux before 2.0.115900.1201 does not properly sanitize user input when constructing a shell command, which…

PriorityP272high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
17.05%
96.7th percentile
The ZoomLauncher binary in the Zoom client for Linux before 2.0.115900.1201 does not properly sanitize user input when constructing a shell command, which allows remote attackers to execute arbitrary code by leveraging the zoommtg:// scheme handler.

Affected

1 ranges
VendorProductVersion rangeFixed in
zoomzoom< 2.0.115900.12012.0.115900.1201

Detection & IOCsextracted from sources · hover to see the quote

otherzoommtg://
commandzoommtg://$(gnome-calculator${IFS}-e${IFS}1337)
path/opt/zoom/ZoomLauncher
snort
alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT Zoom Linux Client Command Injection (CVE-2017-15049)"; flow:established,to_client; file.data; content:"zoommtg|3a 2f 2f|"; pcre:"/^[^\x22\x27]*?[\x3b\x26\x60\x7c\x24]/R"; reference:url,packetstorm.news/files/id/145453; reference:cve,2017-15049; classtype:bad-unknown; sid:2066200; rev:1; metadata:affected_product Zoom, attack_target Client_Endpoint, tls_state TLSDecrypt, created_at 2025_12_09, cve CVE_2017_15049, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, updated_at 2025_12_09; target:dest_ip;)
bytes
zoommtg|3a 2f 2f|
  • Monitor for shell metacharacters (;, &, `, |, $) immediately following a zoommtg:// URI, as the ZoomLauncher binary passes unsanitized user input directly into a shell command string.
  • The constructed shell command includes environment variable exports before invoking /opt/zoom/zoom; look for process executions of /opt/zoom/zoom with arguments containing $(...) or backtick subshell syntax.
  • The exploit is triggerable via a web page using window.location redirect to a zoommtg:// URI; monitor browser-spawned processes that invoke ZoomLauncher with shell-special characters in arguments.
  • The Snort/Suricata rule targets TLS-decrypted traffic (tls_state TLSDecrypt) flowing to_client; deploy on perimeter and internal sensors with SSL inspection enabled.
  • ·The Snort/Suricata rule requires TLS decryption to be active; without SSL inspection the content match on zoommtg:// in encrypted traffic will not fire.
  • ·The vulnerability affects Zoom client for Linux versions before 2.0.115900.1201; the confirmed vulnerable version is 2.0.106600.0904 (zoom_amd64.deb). Other versions may also be vulnerable.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.