Zoom vulnerability related to OpenSSL libraries (libcrypto-3-zm.dll and libssl-3-zm.dll) detected by security.microsoft.com
Hello Zoom Community,
We are currently deploying Zoom Workplace 7.1.0 across our Windows 11 enterprise environment and have identified an issue reported by Microsoft Defender Vulnerability Management.
Microsoft Defender is detecting the bundled OpenSSL libraries within the Zoom installation as vulnerable:
- libcrypto-3-zm.dll – Version 3.4.4.0
- libssl-3-zm.dll – Version 3.4.4.0
These files are located under:
C:\Users\<username>\AppData\Roaming\Zoom\bin\
As a result, Microsoft Defender is generating an "Update owning apps: vulnerable OpenSSL libraries detected" recommendation and associating these files with multiple OpenSSL CVEs (including CVE-2026-28387 and additional OpenSSL vulnerabilities).
This currently affects all of our deployed Zoom clients.
Could you please advise:
- Are these vulnerabilities acknowledged by Zoom for Zoom Workplace 7.1.0?
- Is Zoom planning to update the bundled OpenSSL libraries to a version that addresses these CVEs (for example, OpenSSL 3.4.5 or later)?
- Is there an estimated timeline or target release for this update?
- Are there any mitigations or official guidance from Zoom while we await an updated release?
We would appreciate any information you can provide, as these findings are currently being reported across our Microsoft Defender Vulnerability Management dashboard and are impacting our enterprise vulnerability compliance reporting.
Thank you for your assistance.
