- Zoom released a critical security update for a flaw (CVE-2026-53412, CVSS 9.8) that could allow unauthenticated account takeover via network access.
- Three additional high-severity vulnerabilities were patched, including privilege escalation and race condition flaws in Zoom Workplace and Rooms for Windows.
- No active exploitation has been detected, but users are urged to apply the latest updates immediately.
Zoom has released emergency security updates for a critical vulnerability in Zoom Workplace for Windows that could allow attackers to take over accounts without authentication. The flaw, tracked as CVE-2026-53412 with a CVSS score of 9.8, affects Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows.
According to an advisory from Zoom, the issue stems from improper input validation that may allow an unauthenticated user to conduct account takeover via network access. The company also addressed three high-severity flaws in the same update cycle.
CVE-2026-53411 (CVSS 7.8) is an improper input validation vulnerability in the Zoom Workplace VDI Plugin for Windows before version 6.6.14, which could allow an authenticated user to escalate privileges via local access. Meanwhile, CVE-2026-53410 (CVSS 7.0) is a time-of-check to time-of-use race condition in the installation and uninstallation process of certain Zoom Clients for Windows that could enable privilege escalation.
CVE-2026-53409 (CVSS 7.8) affects Zoom Rooms for Windows before version 7.1.0, involving improper privilege management that may allow an authenticated user to escalate privileges locally. The race condition flaw impacts multiple products, including Zoom Workplace for Windows before version 7.0.5, Zoom Workplace VDI Client and plugin for Windows, as well as Zoom Rooms and Remote Control for Zoom Contact Center.
As of writing, there are no indications that any of the flaws are being exploited in real-world attacks. Users can stay protected by applying the latest updates.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
