Zoom has released four security bulletins on March 10, 2026, disclosing multiple vulnerabilities across its Windows-based client suite.
The flaws, ranging from High to Critical severity, could allow attackers to escalate privileges on affected systems, with one critical flaw exploitable by unauthenticated remote attackers with no prior system access.
The most severe vulnerability, tracked as CVE-2026-30903 (ZSB-26005), is classified as Critical and targets the Mail feature within Zoom Workplace for Windows.
The flaw stems from External Control of File Name or Path, a weakness that lets an attacker manipulate file references to execute unauthorized operations. An unauthenticated user could exploit this vulnerability via network access to escalate privileges on affected systems.
The CVSS vector confirms that the attack requires no authentication and can be launched remotely, making it the most dangerous of the four disclosures. All Zoom Workplace for Windows installations running versions prior to 6.6.0 are affected.
Privilege Management and Input Validation Vulnerabilities
Three additional High-severity vulnerabilities round out the disclosure batch. CVE-2026-30902 (ZSB-26004) affects Zoom Clients for Windows and involves Improper Privilege Management, where incorrectly assigned user privileges could be abused to gain unauthorized elevated access.
CVE-2026-30901 (ZSB-26003) targets Zoom Rooms for Windows and involves Improper Input Validation, a class of vulnerability that allows malformed or unexpected inputs to trigger unintended behaviors, potentially including code execution or privilege changes.
CVE-2026-30900 (ZSB-26002) affects Zoom Workplace Clients for Windows and is described as an Improper Check flaw, suggesting a failure in verification logic that could be leveraged to bypass access controls.
Zoom has consistently patched similar Windows-side privilege escalation issues in recent cycles, including a Critical CVE-2025-49457 (CVSS 9.6) disclosed in August 2025, which also allowed unauthenticated network-based privilege escalation across multiple Windows clients.
| CVE ID | Bulletin | Product | Vulnerability Type | Severity | Published |
|---|---|---|---|---|---|
| CVE-2026-30903 | ZSB-26005 | Zoom Workplace for Windows | External Control of File Name or Path | Critical | 03/10/2026 |
| CVE-2026-30902 | ZSB-26004 | Zoom Clients for Windows | Improper Privilege Management | High | 03/10/2026 |
| CVE-2026-30901 | ZSB-26003 | Zoom Rooms for Windows | Improper Input Validation | High | 03/10/2026 |
| CVE-2026-30900 | ZSB-26002 | Zoom Workplace Clients for Windows | Improper Check | High | 03/10/2026 |
Mitigations
Zoom has issued patches addressing all four vulnerabilities. Organizations and individual users should take the following steps immediately:
- Update all Zoom Workplace for Windows installations to version 6.6.0 or later.
- Update Zoom Rooms for Windows and Zoom Clients for Windows to the latest available build.
- Download updates directly from the official Zoom download portal at zoom.us/download.
- Prioritize patching endpoints where Zoom Workplace is actively used, particularly in email-intensive or enterprise virtual desktop environments.
- Audit user privilege configurations within Zoom deployments to limit blast radius in the event of exploitation.
- Monitor network traffic for anomalous Zoom-related file access patterns that may indicate exploitation attempts against CVE-2026-30903.
Zoom urges all Windows users to apply these updates without delay, noting that no additional mitigations are available outside of upgrading to the patched version.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
