Critical RCE in Zoom Node Multimedia Routers (CVE-2026-22844)
Zoom disclosed and patched a critical command-injection vulnerability in Zoom Node Multimedia Routers (MMRs) that could allow remote code execution by a meeting participant over network access. The issue, tracked as CVE-2026-22844 with a CVSS 9.9, affects Zoom Node MMR modules prior to version 5.2.1716.0; Zoom advised customers running Zoom Node Meetings Hybrid (ZMH) and Zoom Node Meeting Connector (MC) deployments to update to 5.2.1716.0 or later. Zoom stated it has no evidence of in-the-wild exploitation at the time of disclosure.
Separately, GitLab released fixes for multiple high-severity vulnerabilities in GitLab CE/EE, including issues that could enable denial-of-service (DoS) and a two-factor authentication (2FA) bypass (e.g., CVE-2025-13927 and CVE-2025-13928, both CVSS 7.5, affecting broad version ranges). While reported alongside the Zoom update in one source, the GitLab items represent a distinct patch set and are not part of the Zoom MMR vulnerability event.
Timeline
Jan 21, 2026
Zoom releases MMR 5.2.1716.0 to remediate the flaw
Zoom released security updates fixing CVE-2026-22844 and instructed administrators to upgrade Zoom Node Multimedia Routers to version 5.2.1716.0 or later. The update addresses affected MMR versions prior to 5.2.1716.0 and was presented as an urgent remediation step.
Jan 21, 2026
Zoom discloses critical CVE-2026-22844 in Node Multimedia Routers
Zoom disclosed a critical command injection vulnerability, CVE-2026-22844, affecting Zoom Node Multimedia Routers used in Node Meetings Hybrid and Meeting Connector deployments. The flaw could allow a meeting participant with network access to achieve remote code execution against the MMR, and Zoom said it had no evidence of in-the-wild exploitation.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Zoom Windows Client Vulnerabilities Including Critical Privilege Escalation
Zoom published security advisories on March 10, 2026 addressing multiple vulnerabilities affecting Windows components, including *Zoom Workplace for Windows*, *Zoom Meeting SDK for Windows*, *Zoom Rooms for Windows*, and the *Zoom Workplace VDI Client for Windows*. The Canadian Centre for Cyber Security advisory **AV26-231** urged organizations to review Zoom’s bulletins and apply updates, noting issues spanning **external control of file name or path**, **improper privilege management**, **improper input validation**, and an **improper check** condition across the affected Windows products and versions. Reporting on the same Zoom bulletin set, one write-up highlighted four Windows-side flaws ranging from **High to Critical** severity, including a **Critical** issue in the Zoom Workplace for Windows Mail feature tracked as **CVE-2026-30903 (ZSB-26005)**, described as an *External Control of File Name or Path* weakness that could enable **unauthenticated remote privilege escalation**. The additional disclosed issues were described as **CVE-2026-30902 (ZSB-26004)** affecting Zoom Clients for Windows (*Improper Privilege Management*), **CVE-2026-30901 (ZSB-26003)** affecting Zoom Rooms for Windows (*Improper Input Validation*), and **CVE-2026-30900 (ZSB-26002)** affecting Zoom Workplace Clients for Windows (*Improper Check*), with remediation requiring upgrading to fixed releases per Zoom’s advisories.
1 months ago
Multiple Actively Exploited Vulnerabilities and Social-Engineering Breaches Reported Across Zoom, SmarterMail, Vite, and Appsmith
Several vendors and security trackers reported **high-impact vulnerabilities** with exploitation risk, alongside separate **social-engineering-driven breaches**. Zoom disclosed a **command injection** issue in Zoom Node Multimedia Routers (MMRs) used in certain hybrid meeting environments, tracked as **CVE-2026-22844** (reported with a high technical severity), which could allow meeting participants to execute arbitrary code; administrators were advised to update to *Zoom* version **5.2.1716.0**. SmarterTools reported a critical **authentication bypass** in *SmarterMail* (**CVE-2026-23760**) that could allow unauthenticated attackers to reset admin passwords via the `force-reset-password` API endpoint and potentially reach OS command execution and full remote code execution; mitigations included upgrading to **Build 9511**, resetting admin passwords, and enabling MFA. Separately, *Vite* was reported as affected by an **improper access control** flaw (**CVE-2025-31125**) enabling exposure of sensitive files by bypassing `server.fs.deny` protections using crafted query parameters (e.g., `?inline&import` or `?raw&import`); the issue was noted as being exploited in the wild and added to the **CISA Known Exploited Vulnerabilities** catalog. SC Media also reported active exploitation of an *Appsmith* **authentication flaw** (**CVE-2026-22794**) tied to the password reset flow, enabling account takeover by leaking reset tokens; defenders were urged to upgrade to **Appsmith 1.93**, which tightens Origin header validation and trusted base URL enforcement. In parallel to these vulnerability-driven risks, the Canadian Investment Regulatory Organization (**CIRO**) disclosed a **phishing-led breach** affecting ~**750,000** investors with exposure of highly sensitive identifiers (including social insurance numbers and investment information), while Betterment confirmed **unauthorized access via social engineering** that exposed customer contact/identity data and was used to send fraudulent cryptocurrency-scam notifications to users.
1 months ago
GitLab Patches CSRF and WebSocket Access Control Flaws in CE/EE
GitLab disclosed and remediated two high-severity vulnerabilities in GitLab CE/EE that could expose sensitive data and enable unauthorized actions. **CVE-2026-3857** is a `CWE-352` cross-site request forgery flaw in GitLab GraphQL functionality caused by insufficient CSRF protection, allowing an unauthenticated attacker to trigger arbitrary GraphQL mutations on behalf of an authenticated user if that user can be induced to interact. The issue affects versions from `17.10` before `18.8.7`, `18.9` before `18.9.3`, and `18.10` before `18.10.1`. GitLab also fixed **CVE-2026-5173**, a `CWE-749` improper access control issue that lets an authenticated user invoke unintended server-side methods over websocket connections. That flaw affects versions from `16.9.6` before `18.8.9`, `18.9` before `18.9.5`, and `18.10` before `18.10.3`, with GitLab rating it as network-exploitable with low attack complexity and significant confidentiality impact. GitLab published patch release information and related work items for both vulnerabilities, urging customers to update affected self-managed deployments to the fixed releases.
3 weeks ago