Zoom Windows Client Vulnerabilities Including Critical Privilege Escalation
Zoom published security advisories on March 10, 2026 addressing multiple vulnerabilities affecting Windows components, including Zoom Workplace for Windows, Zoom Meeting SDK for Windows, Zoom Rooms for Windows, and the Zoom Workplace VDI Client for Windows. The Canadian Centre for Cyber Security advisory AV26-231 urged organizations to review Zoom’s bulletins and apply updates, noting issues spanning external control of file name or path, improper privilege management, improper input validation, and an improper check condition across the affected Windows products and versions.
Reporting on the same Zoom bulletin set, one write-up highlighted four Windows-side flaws ranging from High to Critical severity, including a Critical issue in the Zoom Workplace for Windows Mail feature tracked as CVE-2026-30903 (ZSB-26005), described as an External Control of File Name or Path weakness that could enable unauthenticated remote privilege escalation. The additional disclosed issues were described as CVE-2026-30902 (ZSB-26004) affecting Zoom Clients for Windows (Improper Privilege Management), CVE-2026-30901 (ZSB-26003) affecting Zoom Rooms for Windows (Improper Input Validation), and CVE-2026-30900 (ZSB-26002) affecting Zoom Workplace Clients for Windows (Improper Check), with remediation requiring upgrading to fixed releases per Zoom’s advisories.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Canadian Centre for Cyber Security urges Zoom users to apply updates
On 2026-03-12, the Canadian Centre for Cyber Security issued advisory AV26-231 highlighting Zoom's Windows vulnerabilities and directing users and administrators to review Zoom's bulletins, follow mitigations, and install available updates. The notice reiterated the affected products and vulnerability classes disclosed by Zoom.
Critical CVE-2026-30903 detailed as remote privilege-escalation flaw
In the March 10, 2026 advisories, Zoom identified CVE-2026-30903 as the most severe issue: a Critical external control of file name or path vulnerability in the Mail feature of Zoom Workplace for Windows. The flaw could be exploited remotely without authentication to achieve privilege escalation.
Zoom discloses and patches four Windows product vulnerabilities
On 2026-03-10, Zoom published four security bulletins covering multiple High-to-Critical vulnerabilities in Zoom Workplace for Windows, Zoom Clients for Windows, Zoom Rooms for Windows, Zoom Meeting SDK for Windows, and Zoom Workplace VDI Client for Windows. Zoom released fixes and instructed users to upgrade to patched versions, including Zoom Workplace for Windows version 6.6.0 or later.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Actively Exploited Vulnerabilities and Social-Engineering Breaches Reported Across Zoom, SmarterMail, Vite, and Appsmith
Several vendors and security trackers reported **high-impact vulnerabilities** with exploitation risk, alongside separate **social-engineering-driven breaches**. Zoom disclosed a **command injection** issue in Zoom Node Multimedia Routers (MMRs) used in certain hybrid meeting environments, tracked as **CVE-2026-22844** (reported with a high technical severity), which could allow meeting participants to execute arbitrary code; administrators were advised to update to *Zoom* version **5.2.1716.0**. SmarterTools reported a critical **authentication bypass** in *SmarterMail* (**CVE-2026-23760**) that could allow unauthenticated attackers to reset admin passwords via the `force-reset-password` API endpoint and potentially reach OS command execution and full remote code execution; mitigations included upgrading to **Build 9511**, resetting admin passwords, and enabling MFA. Separately, *Vite* was reported as affected by an **improper access control** flaw (**CVE-2025-31125**) enabling exposure of sensitive files by bypassing `server.fs.deny` protections using crafted query parameters (e.g., `?inline&import` or `?raw&import`); the issue was noted as being exploited in the wild and added to the **CISA Known Exploited Vulnerabilities** catalog. SC Media also reported active exploitation of an *Appsmith* **authentication flaw** (**CVE-2026-22794**) tied to the password reset flow, enabling account takeover by leaking reset tokens; defenders were urged to upgrade to **Appsmith 1.93**, which tightens Origin header validation and trusted base URL enforcement. In parallel to these vulnerability-driven risks, the Canadian Investment Regulatory Organization (**CIRO**) disclosed a **phishing-led breach** affecting ~**750,000** investors with exposure of highly sensitive identifiers (including social insurance numbers and investment information), while Betterment confirmed **unauthorized access via social engineering** that exposed customer contact/identity data and was used to send fraudulent cryptocurrency-scam notifications to users.
Mar 21, 2026
Critical RCE in Zoom Node Multimedia Routers (CVE-2026-22844)
Zoom disclosed and patched a **critical command-injection vulnerability** in *Zoom Node Multimedia Routers (MMRs)* that could allow **remote code execution** by a **meeting participant** over network access. The issue, tracked as **CVE-2026-22844** with a **CVSS 9.9**, affects Zoom Node MMR modules **prior to version 5.2.1716.0**; Zoom advised customers running **Zoom Node Meetings Hybrid (ZMH)** and **Zoom Node Meeting Connector (MC)** deployments to update to **5.2.1716.0 or later**. Zoom stated it has **no evidence of in-the-wild exploitation** at the time of disclosure. Separately, GitLab released fixes for multiple high-severity vulnerabilities in **GitLab CE/EE**, including issues that could enable **denial-of-service (DoS)** and a **two-factor authentication (2FA) bypass** (e.g., **CVE-2025-13927** and **CVE-2025-13928**, both CVSS 7.5, affecting broad version ranges). While reported alongside the Zoom update in one source, the GitLab items represent a distinct patch set and are not part of the Zoom MMR vulnerability event.
Mar 21, 2026
Microsoft fixes Windows privilege escalation flaws in Kernel and Remote Desktop Services
Microsoft published security advisories for multiple Windows elevation-of-privilege vulnerabilities, including **`CVE-2026-40398`** in **Windows Remote Desktop Services** and **`CVE-2026-35420`** and **`CVE-2026-26180`** in the **Windows Kernel**. The flaws were listed in the Microsoft Security Update Guide as privilege escalation issues affecting core Windows components, expanding the set of local escalation risks defenders need to track across both kernel-level and remote desktop-related attack surfaces. The advisories provide official Microsoft tracking for the vulnerabilities but do not include public synopsis details in the referenced entries. For security teams, the immediate takeaway is to review Microsoft updates covering **Remote Desktop Services** and **Windows Kernel** components, prioritize patch deployment for systems where local access could be leveraged into higher privileges, and validate exposure across managed Windows endpoints and servers.
May 12, 2026