Zoom Windows Client Vulnerabilities Including Critical Privilege Escalation
Zoom published security advisories on March 10, 2026 addressing multiple vulnerabilities affecting Windows components, including Zoom Workplace for Windows, Zoom Meeting SDK for Windows, Zoom Rooms for Windows, and the Zoom Workplace VDI Client for Windows. The Canadian Centre for Cyber Security advisory AV26-231 urged organizations to review Zoom’s bulletins and apply updates, noting issues spanning external control of file name or path, improper privilege management, improper input validation, and an improper check condition across the affected Windows products and versions.
Reporting on the same Zoom bulletin set, one write-up highlighted four Windows-side flaws ranging from High to Critical severity, including a Critical issue in the Zoom Workplace for Windows Mail feature tracked as CVE-2026-30903 (ZSB-26005), described as an External Control of File Name or Path weakness that could enable unauthenticated remote privilege escalation. The additional disclosed issues were described as CVE-2026-30902 (ZSB-26004) affecting Zoom Clients for Windows (Improper Privilege Management), CVE-2026-30901 (ZSB-26003) affecting Zoom Rooms for Windows (Improper Input Validation), and CVE-2026-30900 (ZSB-26002) affecting Zoom Workplace Clients for Windows (Improper Check), with remediation requiring upgrading to fixed releases per Zoom’s advisories.
Timeline
Mar 12, 2026
Canadian Centre for Cyber Security urges Zoom users to apply updates
On 2026-03-12, the Canadian Centre for Cyber Security issued advisory AV26-231 highlighting Zoom's Windows vulnerabilities and directing users and administrators to review Zoom's bulletins, follow mitigations, and install available updates. The notice reiterated the affected products and vulnerability classes disclosed by Zoom.
Mar 10, 2026
Critical CVE-2026-30903 detailed as remote privilege-escalation flaw
In the March 10, 2026 advisories, Zoom identified CVE-2026-30903 as the most severe issue: a Critical external control of file name or path vulnerability in the Mail feature of Zoom Workplace for Windows. The flaw could be exploited remotely without authentication to achieve privilege escalation.
Mar 10, 2026
Zoom discloses and patches four Windows product vulnerabilities
On 2026-03-10, Zoom published four security bulletins covering multiple High-to-Critical vulnerabilities in Zoom Workplace for Windows, Zoom Clients for Windows, Zoom Rooms for Windows, Zoom Meeting SDK for Windows, and Zoom Workplace VDI Client for Windows. Zoom released fixes and instructed users to upgrade to patched versions, including Zoom Workplace for Windows version 6.6.0 or later.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Multiple Actively Exploited Vulnerabilities and Social-Engineering Breaches Reported Across Zoom, SmarterMail, Vite, and Appsmith
Several vendors and security trackers reported **high-impact vulnerabilities** with exploitation risk, alongside separate **social-engineering-driven breaches**. Zoom disclosed a **command injection** issue in Zoom Node Multimedia Routers (MMRs) used in certain hybrid meeting environments, tracked as **CVE-2026-22844** (reported with a high technical severity), which could allow meeting participants to execute arbitrary code; administrators were advised to update to *Zoom* version **5.2.1716.0**. SmarterTools reported a critical **authentication bypass** in *SmarterMail* (**CVE-2026-23760**) that could allow unauthenticated attackers to reset admin passwords via the `force-reset-password` API endpoint and potentially reach OS command execution and full remote code execution; mitigations included upgrading to **Build 9511**, resetting admin passwords, and enabling MFA. Separately, *Vite* was reported as affected by an **improper access control** flaw (**CVE-2025-31125**) enabling exposure of sensitive files by bypassing `server.fs.deny` protections using crafted query parameters (e.g., `?inline&import` or `?raw&import`); the issue was noted as being exploited in the wild and added to the **CISA Known Exploited Vulnerabilities** catalog. SC Media also reported active exploitation of an *Appsmith* **authentication flaw** (**CVE-2026-22794**) tied to the password reset flow, enabling account takeover by leaking reset tokens; defenders were urged to upgrade to **Appsmith 1.93**, which tightens Origin header validation and trusted base URL enforcement. In parallel to these vulnerability-driven risks, the Canadian Investment Regulatory Organization (**CIRO**) disclosed a **phishing-led breach** affecting ~**750,000** investors with exposure of highly sensitive identifiers (including social insurance numbers and investment information), while Betterment confirmed **unauthorized access via social engineering** that exposed customer contact/identity data and was used to send fraudulent cryptocurrency-scam notifications to users.
1 months ago
Critical RCE in Zoom Node Multimedia Routers (CVE-2026-22844)
Zoom disclosed and patched a **critical command-injection vulnerability** in *Zoom Node Multimedia Routers (MMRs)* that could allow **remote code execution** by a **meeting participant** over network access. The issue, tracked as **CVE-2026-22844** with a **CVSS 9.9**, affects Zoom Node MMR modules **prior to version 5.2.1716.0**; Zoom advised customers running **Zoom Node Meetings Hybrid (ZMH)** and **Zoom Node Meeting Connector (MC)** deployments to update to **5.2.1716.0 or later**. Zoom stated it has **no evidence of in-the-wild exploitation** at the time of disclosure. Separately, GitLab released fixes for multiple high-severity vulnerabilities in **GitLab CE/EE**, including issues that could enable **denial-of-service (DoS)** and a **two-factor authentication (2FA) bypass** (e.g., **CVE-2025-13927** and **CVE-2025-13928**, both CVSS 7.5, affecting broad version ranges). While reported alongside the Zoom update in one source, the GitLab items represent a distinct patch set and are not part of the Zoom MMR vulnerability event.
1 months ago
Microsoft February Patch Tuesday Fixes Actively Exploited Zero-Days Including Windows RDS Privilege Escalation
Microsoft’s February 2026 Patch Tuesday shipped fixes for **58 vulnerabilities** across Windows, Office, and related components, including **six zero-days reported as actively exploited**. Reported zero-days included **CVE-2026-21533** (Windows **Remote Desktop Services** elevation of privilege), **CVE-2026-21510** (Windows Shell security feature bypass involving SmartScreen/Mark-of-the-Web), **CVE-2026-21513** and **CVE-2026-21514** (Office/MSHTML mitigation bypasses requiring user interaction), and **CVE-2026-21525** (Windows Remote Access Connection Manager DoS). Coverage of the release emphasized that elevation-of-privilege issues were the largest category in the update set, and that organizations should prioritize rapid deployment given in-the-wild exploitation claims. For **CVE-2026-21533** (CVSS 7.8, *Important*), reporting cited CrowdStrike observations of an exploit binary used post-compromise to reach **SYSTEM** by modifying a service configuration **registry key** to point to attacker-controlled values, enabling actions such as adding a user to the local Administrators group; the issue primarily impacts Windows systems where RDS is enabled and is positioned as a strong enabler for lateral movement in RDP-heavy environments. Separately, a January 2026-patched local privilege escalation in Windows Error Reporting, **CVE-2026-20817** (CVSS 7.8), was described with technical detail and a released PoC: the WER service (`wersvc.dll`) allegedly failed to validate requester permissions over ALPC, allowing a standard user to trigger process creation with a SYSTEM-derived token retaining powerful privileges (e.g., `SeDebugPrivilege`, `SeImpersonatePrivilege`, `SeBackupPrivilege`), underscoring the broader trend of Windows local EoP bugs being leveraged for post-exploitation escalation.
1 months ago