Critical RCE in Zoom Node Multimedia Routers (CVE-2026-22844)
Zoom disclosed and patched a critical command-injection vulnerability in Zoom Node Multimedia Routers (MMRs) that could allow remote code execution by a meeting participant over network access. The issue, tracked as CVE-2026-22844 with a CVSS 9.9, affects Zoom Node MMR modules prior to version 5.2.1716.0; Zoom advised customers running Zoom Node Meetings Hybrid (ZMH) and Zoom Node Meeting Connector (MC) deployments to update to 5.2.1716.0 or later. Zoom stated it has no evidence of in-the-wild exploitation at the time of disclosure.
Separately, GitLab released fixes for multiple high-severity vulnerabilities in GitLab CE/EE, including issues that could enable denial-of-service (DoS) and a two-factor authentication (2FA) bypass (e.g., CVE-2025-13927 and CVE-2025-13928, both CVSS 7.5, affecting broad version ranges). While reported alongside the Zoom update in one source, the GitLab items represent a distinct patch set and are not part of the Zoom MMR vulnerability event.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Zoom releases MMR 5.2.1716.0 to remediate the flaw
Zoom released security updates fixing CVE-2026-22844 and instructed administrators to upgrade Zoom Node Multimedia Routers to version 5.2.1716.0 or later. The update addresses affected MMR versions prior to 5.2.1716.0 and was presented as an urgent remediation step.
Zoom discloses critical CVE-2026-22844 in Node Multimedia Routers
Zoom disclosed a critical command injection vulnerability, CVE-2026-22844, affecting Zoom Node Multimedia Routers used in Node Meetings Hybrid and Meeting Connector deployments. The flaw could allow a meeting participant with network access to achieve remote code execution against the MMR, and Zoom said it had no evidence of in-the-wild exploitation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Zoom addresses critical remote code execution vulnerability | SC Media
scworld.com
Open sourceZoom and GitLab Patch RCE, DoS, and 2FA Bypass Vulnerabilities - TechRepublic
techrepublic.com
Open sourceZoom and GitLab Release Security Updates Fixing RCE, DoS, and 2FA Bypass Flaws
thehackernews.com
Open sourceCritical Zoom Flaw (CVE-2026-22844): CVSS 9.9 Command Injection Exposes Hybrid Meetings
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Zoom Windows Client Vulnerabilities Including Critical Privilege Escalation
Zoom published security advisories on March 10, 2026 addressing multiple vulnerabilities affecting Windows components, including *Zoom Workplace for Windows*, *Zoom Meeting SDK for Windows*, *Zoom Rooms for Windows*, and the *Zoom Workplace VDI Client for Windows*. The Canadian Centre for Cyber Security advisory **AV26-231** urged organizations to review Zoom’s bulletins and apply updates, noting issues spanning **external control of file name or path**, **improper privilege management**, **improper input validation**, and an **improper check** condition across the affected Windows products and versions. Reporting on the same Zoom bulletin set, one write-up highlighted four Windows-side flaws ranging from **High to Critical** severity, including a **Critical** issue in the Zoom Workplace for Windows Mail feature tracked as **CVE-2026-30903 (ZSB-26005)**, described as an *External Control of File Name or Path* weakness that could enable **unauthenticated remote privilege escalation**. The additional disclosed issues were described as **CVE-2026-30902 (ZSB-26004)** affecting Zoom Clients for Windows (*Improper Privilege Management*), **CVE-2026-30901 (ZSB-26003)** affecting Zoom Rooms for Windows (*Improper Input Validation*), and **CVE-2026-30900 (ZSB-26002)** affecting Zoom Workplace Clients for Windows (*Improper Check*), with remediation requiring upgrading to fixed releases per Zoom’s advisories.
Mar 21, 2026
Multiple Actively Exploited Vulnerabilities and Social-Engineering Breaches Reported Across Zoom, SmarterMail, Vite, and Appsmith
Several vendors and security trackers reported **high-impact vulnerabilities** with exploitation risk, alongside separate **social-engineering-driven breaches**. Zoom disclosed a **command injection** issue in Zoom Node Multimedia Routers (MMRs) used in certain hybrid meeting environments, tracked as **CVE-2026-22844** (reported with a high technical severity), which could allow meeting participants to execute arbitrary code; administrators were advised to update to *Zoom* version **5.2.1716.0**. SmarterTools reported a critical **authentication bypass** in *SmarterMail* (**CVE-2026-23760**) that could allow unauthenticated attackers to reset admin passwords via the `force-reset-password` API endpoint and potentially reach OS command execution and full remote code execution; mitigations included upgrading to **Build 9511**, resetting admin passwords, and enabling MFA. Separately, *Vite* was reported as affected by an **improper access control** flaw (**CVE-2025-31125**) enabling exposure of sensitive files by bypassing `server.fs.deny` protections using crafted query parameters (e.g., `?inline&import` or `?raw&import`); the issue was noted as being exploited in the wild and added to the **CISA Known Exploited Vulnerabilities** catalog. SC Media also reported active exploitation of an *Appsmith* **authentication flaw** (**CVE-2026-22794**) tied to the password reset flow, enabling account takeover by leaking reset tokens; defenders were urged to upgrade to **Appsmith 1.93**, which tightens Origin header validation and trusted base URL enforcement. In parallel to these vulnerability-driven risks, the Canadian Investment Regulatory Organization (**CIRO**) disclosed a **phishing-led breach** affecting ~**750,000** investors with exposure of highly sensitive identifiers (including social insurance numbers and investment information), while Betterment confirmed **unauthorized access via social engineering** that exposed customer contact/identity data and was used to send fraudulent cryptocurrency-scam notifications to users.
Mar 21, 2026
GitLab Patches CSRF and WebSocket Access Control Flaws in CE/EE
GitLab disclosed and remediated two high-severity vulnerabilities in GitLab CE/EE that could expose sensitive data and enable unauthorized actions. **CVE-2026-3857** is a `CWE-352` cross-site request forgery flaw in GitLab GraphQL functionality caused by insufficient CSRF protection, allowing an unauthenticated attacker to trigger arbitrary GraphQL mutations on behalf of an authenticated user if that user can be induced to interact. The issue affects versions from `17.10` before `18.8.7`, `18.9` before `18.9.3`, and `18.10` before `18.10.1`. GitLab also fixed **CVE-2026-5173**, a `CWE-749` improper access control issue that lets an authenticated user invoke unintended server-side methods over websocket connections. That flaw affects versions from `16.9.6` before `18.8.9`, `18.9` before `18.9.5`, and `18.10` before `18.10.3`, with GitLab rating it as network-exploitable with low attack complexity and significant confidentiality impact. GitLab published patch release information and related work items for both vulnerabilities, urging customers to update affected self-managed deployments to the fixed releases.
Apr 9, 2026