**Synopsis**Tenable discovered a flaw in Zoom's thick client that allows attackers to hijack control of presenters’ desktops, spoof chat messages, and kick attendees out of Zoom calls. The flaw is due to the lack of message validation. An attacker can spoof Zoom server messages to invoke restricted functionalities reserved for Zoom servers.In order to successfully exploit this vulnerability the attacker needs know the IP address of an attendee or a Zoom server IP address. Also, the attacker needs to know the attendees meeting attendee IDs, but they can be trivially brute forced.Because Zoom seems to accept unencrypted UDP messages even when encrypted sessions are enabled, an attacker can exploit this vulnerability without authentication or knowledge of the encryption key.A full proof of concept can be found in our [GitHub repository](https://github.com/tenable/poc/tree/master/Zoom). A video of the exploit can be found on our [blog](https://www.tenable.com/blog/tenable-research-advisory-zoom-unauthorized-command-execution-cve-2018-15715).