A newly disclosed batch of vulnerabilities in Zoom’s software suite could give attackers the leverage they need to hijack systems. Zoom has released critical security updates to patch three distinct flaws affecting its Windows and iOS applications.
The most dangerous of these vulnerabilities allows authenticated attackers to elevate their system privileges, effectively turning a standard user account into a high-level administrative threat.
Zoom Rooms and Workplace Flaws
The first major flaw targets Zoom Rooms for Windows. Tracked as CVE-2026-30906, this high-severity vulnerability carries a CVSS base score of 7.8 out of 10.
The problem originates from an untrusted search path vulnerability in the software’s installer. If an attacker already has standard local access to a machine, they can exploit this weakness to escalate their privileges.
Hackers often use this deep level of access to turn off security tools, steal sensitive enterprise data, or deploy ransomware. The vulnerability affects all versions of Zoom Rooms for Windows before 7.0.0.
Security researcher “sim0nsecurity” discovered a second high-severity bug in the Zoom Workplace VDI Plugin for Windows.
Tracked as CVE-2026-30905, this flaw also has a CVSS score of 7.8. It is caused by the external control of a file name or path within the software’s Windows Universal Installer.
Much like the Zoom Rooms bug, this vulnerability provides a clear path for a local, authenticated user to trigger a privilege escalation attack. It specifically impacts the Zoom Workplace VDI Plugin version 6.6.10, requiring an immediate update to version 6.6.11 or newer.
While Windows environments face the most critical escalation risks, mobile users are also affected by this batch of updates. Zoom Workplace for iOS suffers from a lower-severity flaw tracked as CVE-2026-30904.
This issue involves a failure of a protection mechanism that could lead to unauthorized information disclosure.
With a CVSS score of 1.8, the immediate risk is considered low because the attacker requires physical access to the target’s iOS device.
However, it still represents a frustrating privacy breach for affected users. Security researcher “errorsec_” reported this flaw, which affects all iOS app versions older than 7.0.0.
| CVE ID | Product | Vulnerability Type | Severity | CVSS Score |
|---|---|---|---|---|
| CVE-2026-30906 | Zoom Rooms for Windows | Untrusted Search Path | High | 7.8 |
| CVE-2026-30905 | Zoom Workplace VDI Plugin (Windows) | External Control of File Name/Path | High | 7.8 |
| CVE-2026-30904 | Zoom Workplace for iOS | Protection Mechanism Failure | Low | 1.8 |
Privilege escalation vulnerabilities are highly prized by threat actors looking to move laterally across enterprise networks. To prevent these localized attacks from escalating into major corporate security breaches, organizations must prioritize their software update pipelines.
Zoom strongly urges all users, IT administrators, and remote workers to apply the latest security patches immediately. Users can secure their devices by downloading the most recent, patched software versions directly from the official Zoom download center.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
