Zoom Patches Three Security Flaws in Windows Rooms and VDI Plugin Allowing Authenticated Attackers to Escalate Privileges and Hijack Enterprise Systems
Zoom has released critical security updates patching three distinct vulnerabilities across its Windows and iOS applications — including two high-severity flaws that allow authenticated local users to escalate their privileges and gain full administrative control over affected enterprise systems. The vulnerabilities affect Zoom Rooms for Windows, the Zoom Workplace VDI Plugin for Windows, and Zoom Workplace for iOS, with the Windows flaws carrying a CVSS base score of 7.8 and representing an immediately exploitable lateral movement risk in enterprise environments. Zoom strongly urges all users, IT administrators, and remote workers to apply the latest patches without delay via the official Zoom download centre.
The most widely impactful of the three vulnerabilities is CVE-2026-30906, a high-severity untrusted search path flaw in the Zoom Rooms installer for Windows. When software does not properly verify the directories it uses to load critical files during installation, attackers can plant malicious code in those unverified paths — causing the installer to execute attacker-controlled content with elevated permissions. Any authenticated user with standard local access to the machine can exploit this weakness to escalate privileges and obtain administrative control. Threat actors who achieve this level of access can disable security tools, steal sensitive enterprise data, move laterally across the network, or deploy ransomware across connected systems. All versions of Zoom Rooms for Windows prior to 7.0.0 are affected and must be updated immediately.
The second high-severity vulnerability, CVE-2026-30905, was discovered by security researcher sim0nsecurity and targets the Zoom Workplace VDI Plugin Windows Universal Installer. This flaw involves external control of a file name or path — meaning an attacker can manipulate how the installer handles file paths during the setup process, forcing the system to execute unauthorised commands with elevated privileges. Like CVE-2026-30906, this vulnerability creates a direct path for any local authenticated user to perform a privilege escalation attack. The flaw specifically impacts version 6.6.10 of the VDI Plugin, requiring an immediate upgrade to version 6.6.11 or newer. Virtual desktop infrastructure environments are particularly sensitive to this class of vulnerability because a successful privilege escalation in a VDI context can expose not just a single endpoint but the broader virtual environment shared across multiple users.
iOS users face a lower-severity but still noteworthy vulnerability tracked as CVE-2026-30904, reported by security researcher errorsec_. The flaw involves a failure of a protection mechanism within Zoom Workplace for iOS that could lead to unauthorised information disclosure. With a CVSS score of 1.8, the immediate risk is considerably lower than the Windows flaws — exploitation requires physical access to the target device and elevated privileges. However, it still represents a privacy exposure for affected users in scenarios involving physical device access, such as lost or stolen devices. All iOS app versions prior to 7.0.0 are affected.
All three vulnerabilities share a common and straightforward remediation path — update to the patched versions immediately. Zoom Rooms for Windows and Zoom Workplace for iOS users must update to version 7.0.0 or later. Zoom Workplace VDI Plugin users must upgrade to version 6.6.11 or newer. Updates are available directly from the official Zoom download centre. Enterprise IT administrators should treat the two Windows privilege escalation flaws as priority patches — both carry a CVSS score of 7.8 and are exploitable by any locally authenticated user, making them highly attractive to insider threats, compromised accounts, and post-phishing lateral movement campaigns.