New Vulnerabilities Discovered in Zoom Software May Pose Serious Security Risks
A newly revealed set of vulnerabilities within Zoom’s software suite has raised significant concerns regarding the potential for unauthorized access and system hijacking. These flaws, which affect both Windows and iOS applications, have prompted Zoom to issue urgent security updates designed to rectify these issues. Industry experts emphasize the importance of addressing these vulnerabilities to safeguard user data and corporate networks.
Among the vulnerabilities, the most alarming allows authenticated attackers to escalate their system privileges. This essentially enables a standard user account to gain administrative-level access, significantly increasing the threat level within affected systems.
Zoom Rooms for Windows: Critical Vulnerability
The first of the identified vulnerabilities is associated with Zoom Rooms for Windows and has been categorized as CVE-2026-30906. This high-severity flaw carries a Common Vulnerability Scoring System (CVSS) base score of 7.8 out of 10. The root of the issue lies in an untrusted search path vulnerability present within the software’s installer. With this flaw, if an attacker has already secured standard local access on a machine, they can exploit this weakness, allowing them to escalate their privileges.
Hackers commonly employ such access to disable security tools, steal sensitive enterprise data, or deploy ransomware, effectively compromising business operations. This vulnerability affects all versions of Zoom Rooms for Windows that are older than 7.0.0, creating a pressing need for users to update their systems without delay.
Workplace VDI Plugin for Windows: Another High-Severity Bug
Further complicating the security landscape is a second high-severity vulnerability found in the Zoom Workplace VDI Plugin for Windows, tracked as CVE-2026-30905. Like the Zoom Rooms issue, this flaw also has a CVSS score of 7.8 and stems from the external control of a file name or path within the software’s Windows Universal Installer.
This too provides an opportunity for a local, authenticated user to initiate a privilege escalation attack, posing significant risks primarily in Windows environments. Users are expressly urged to update to version 6.6.11 or newer of the Zoom Workplace VDI Plugin to mitigate this vulnerability.
iOS Users Also at Risk: A Lower-Severity Flaw
While the aforementioned vulnerabilities greatly impact Windows environments, mobile users are not exempt from risks either. The Zoom Workplace app for iOS also contains a flaw, tracked as CVE-2026-30904, which features a lower CVSS score of 1.8. This vulnerability results from a failure of a protection mechanism, which could potentially allow unauthorized information disclosure. Notably, an attacker would need physical access to the target’s iOS device to exploit this weakness.
Though the immediate risk is categorized as low, the situation represents a notable privacy concern for affected users. The security researcher who uncovered this flaw, known by the handle “errorsec_,” indicated that all iOS app versions older than 7.0.0 are susceptible to this issue, thereby creating a privacy breach that users should be aware of.
The Broader Implications of Privilege Escalation Vulnerabilities
Privilege escalation vulnerabilities are highly sought after by threat actors, who frequently use them to navigate laterally across enterprise networks. Cybersecurity professionals warn that failing to address these vulnerabilities could lead to significant breaches, affecting overall corporate security. Organizations are urged to prioritize their software update processes to prevent localized attacks from spiraling into larger, more damaging security incidents.
In light of these revelations, Zoom has strongly urged all users—including IT administrators and remote workers—to apply the latest security patches without delay. Users can secure their devices by downloading the most recent, patched software versions directly from the official Zoom download center.
As the cybersecurity landscape continues to evolve, organizations must remain vigilant in monitoring for vulnerabilities and ensuring prompt software updates. By doing so, they can protect their networks and sensitive data from potential breaches and maintain a robust security posture in a landscape fraught with threats.