A newly disclosed batch of vulnerabilities in Zoom’s software program suite might give attackers the leverage they should hijack methods. Zoom has launched essential safety updates to patch three distinct flaws affecting its Home windows and iOS functions.
Essentially the most harmful of those vulnerabilities permits authenticated attackers to raise their system privileges, successfully turning a typical person account right into a high-level administrative risk.
Zoom Rooms and Office Flaws
The primary main flaw targets Zoom Rooms for Home windows. Tracked as CVE-2026-30906, this high-severity vulnerability carries a CVSS base rating of seven.8 out of 10.
The issue originates from an untrusted search path vulnerability within the software program’s installer. If an attacker already has customary native entry to a machine, they’ll exploit this weak point to escalate their privileges.
Hackers typically use this deep degree of entry to show off safety instruments, steal delicate enterprise information, or deploy ransomware. The vulnerability impacts all variations of Zoom Rooms for Home windows earlier than 7.0.0.
Safety researcher “sim0nsecurity” found a second high-severity bug within the Zoom Office VDI Plugin for Home windows.
Tracked as CVE-2026-30905, this flaw additionally has a CVSS rating of seven.8. It’s brought on by the exterior management of a file identify or path throughout the software program’s Home windows Common Installer.
Very like the Zoom Rooms bug, this vulnerability supplies a transparent path for an area, authenticated person to set off a privilege escalation assault. It particularly impacts the Zoom Office VDI Plugin model 6.6.10, requiring a direct replace to model 6.6.11 or newer.
Whereas Home windows environments face essentially the most essential escalation dangers, cellular customers are additionally affected by this batch of updates. Zoom Office for iOS suffers from a lower-severity flaw tracked as CVE-2026-30904.
This challenge includes a failure of a safety mechanism that might result in unauthorized data disclosure.
With a CVSS rating of 1.8, the quick threat is taken into account low as a result of the attacker requires bodily entry to the goal’s iOS gadget.
Nonetheless, it nonetheless represents a irritating privateness breach for affected customers. Safety researcher “errorsec_” reported this flaw, which impacts all iOS app variations older than 7.0.0.
| CVE ID | Product | Vulnerability Sort | Severity | CVSS Rating |
|---|---|---|---|---|
| CVE-2026-30906 | Zoom Rooms for Home windows | Untrusted Search Path | Excessive | 7.8 |
| CVE-2026-30905 | Zoom Office VDI Plugin (Home windows) | Exterior Management of File Identify/Path | Excessive | 7.8 |
| CVE-2026-30904 | Zoom Office for iOS | Safety Mechanism Failure | Low | 1.8 |
Privilege escalation vulnerabilities are extremely prized by risk actors trying to transfer laterally throughout enterprise networks. To stop these localized assaults from escalating into main company safety breaches, organizations should prioritize their software program replace pipelines.
Zoom strongly urges all customers, IT directors, and distant employees to use the most recent safety patches instantly. Customers can safe their units by downloading the latest, patched software program variations immediately from the official Zoom obtain middle.
Observe us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most well-liked Supply in Google.
