By rssfeeds-admin Zoom has released critical security updates to patch three distinct flaws affecting its Windows and iOS applications.
The most dangerous of these allows authenticated attackers to elevate system privileges, effectively turning a standard user account into a high-level administrative threat.
Zoom Rooms and VDI Plugin Flaws
Two high-severity vulnerabilities target Windows environments, both carrying a CVSS base score of 7.8 out of 10.
- CVE-2026-30906 affects Zoom Rooms for Windows and stems from an untrusted search path vulnerability in the software’s installer.
- Any attacker with standard local access can exploit this weakness to escalate privileges and gain administrative control.
- Hackers often leverage this level of access to disable security tools, steal sensitive enterprise data, or deploy ransomware.
- All versions of Zoom Rooms for Windows before 7.0.0 are impacted.
- CVE-2026-30905 was discovered by security researcher “sim0nsecurity” and targets the Zoom Workplace VDI Plugin for Windows.
- Caused by external control of a file name or path within the Windows Universal Installer, this flaw equally opens the door to privilege escalation for any local, authenticated user.
- It specifically impacts version 6.6.10 of the VDI Plugin, requiring an immediate upgrade to version 6.6.11 or newer.
Both vulnerabilities represent a direct path for internal or compromised accounts to move laterally across enterprise networks a tactic frequently used in ransomware and data theft campaigns.
iOS Users Face Lower-Severity Privacy Risk
While Windows environments bear the brunt of the critical escalation risk, mobile users are not entirely in the clear.
- CVE-2026-30904 affects Zoom Workplace for iOS and involves a failure of a protection mechanism that could lead to unauthorized information disclosure.
- Reported by security researcher “errorsec_”, this flaw carries a lower CVSS score of 1.8, as the attacker requires physical access to the target’s iOS device. All iOS app versions older than 7.0.0 are affected.
| CVE ID | Product | Vulnerability Type | Severity | CVSS Score |
|---|---|---|---|---|
| CVE-2026-30906 | Zoom Rooms for Windows | Untrusted Search Path | High | 7.8 |
| CVE-2026-30905 | Zoom Workplace VDI Plugin (Windows) | External Control of File Name/Path | High | 7.8 |
| CVE-2026-30904 | Zoom Workplace for iOS | Protection Mechanism Failure | Low | 1.8 |
Privilege escalation vulnerabilities are highly prized by threat actors looking to move laterally across enterprise networks.
To prevent localized attacks from snowballing into full-scale corporate breaches, organizations must prioritize their software update pipelines without delay.
Zoom strongly urges all users, IT administrators, and remote workers to apply the latest patches immediately by downloading updated versions directly from the official Zoom download center.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Zoom Rooms and Workplace Flaws Allow Privilege Escalation Attacks appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.