Zoom Rooms and Workplace Vulnerabilities Allow Attackers to Escalate Privileges

HomeCyber Security News Zoom Rooms and Workplace Vulnerabilities Allow Attackers to Escalate Privileges By Abinaya May 12, 2026 A series of newly discovered vulnerabilities in Zoom’s software ecosystem could hand local attackers the keys to your system. As organizations continue to rely heavily on virtual meetings, threat actors are constantly hunting for ways to exploit these communication tools. Zoom has rapidly released patches for three distinct security flaws affecting Zoom Rooms for Windows, the Zoom Workplace VDI Plugin, and Zoom Workplace for iOS. If left unpatched, the most severe of these bugs allows authenticated users to quietly escalate their privileges and gain unauthorized control over affected devices. High-Severity Windows Vulnerabilities The most critical threats come from two high-severity flaws impacting Windows users, both discovered and reported to Zoom by security researcher sim0nsecurity. The first flaw, tracked as CVE-2026-30906, affects the Zoom Rooms installer for Windows through an untrusted search path weakness. When a software program does not properly verify the directories it uses to load critical files, attackers can plant malicious code in those paths. An authenticated user with local access can exploit this oversight to escalate their privileges and take deeper administrative control of the system. The second major vulnerability, CVE-2026-30905, exists in the Zoom Workplace VDI Plugin Windows Universal Installer. This bug involves the external control of a file name or path. By manipulating how the installer handles file paths during setup, a local attacker can force the system to execute unauthorized commands, opening another dangerous avenue for privilege escalation. While Windows users face the immediate threat of privilege escalation, iOS users face a different kind of risk. Tracked as CVE-2026-30904, this low-severity vulnerability affects Zoom Workplace for iOS. Reported by security researcher errorsec_, the flaw involves a failure of a protection mechanism. Unlike the Windows bugs, an attacker needs physical access to the iOS device to exploit this issue. If successful, the attacker could bypass protections to force the application to disclose sensitive information. Because it requires physical access and high privileges, the CVSS severity score remains a low 1.8. To mitigate these risks and prevent potential system takeovers, users and system administrators must act quickly. Zoom has already released updates to address these security gaps across all affected platforms. Organizations should enforce rapid patch management policies and ensure their endpoints are fully up to date. Users can secure their devices by downloading and applying the latest versions directly from the official Zoom download portal. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Critical Qualcomm Chipset Vulnerabilities Enables Remote Code Execution Google Chrome 148 Released with Fix for 127 Security Vulnerabilities – Update Now! Popular Go Library fsnotify Raises Supply Chain Alarms After Maintainer Access Changes QLNX Targets Developers With Credential Theft Designed for Supply Chain Compromise NVIDIA Data Breach Reportedly Exposes Personal Information of GeForce Users Latest News Cyber Security News SAP Patches Critical SQL injection Vulnerability in SAP S/4HANA Cyber Security News Hackers Hijack Microsoft Teams Accounts to Deliver ModeloRAT Cyber Security News North Korean Hackers Weaponize Git Hooks to Deploy Cross-Platform Malware AI Critical “Cline” AI Agent Vulnerability Enables RCE Attacks Cyber Security News Malicious Chrome MV3 Extension Impersonates TronLink to Steal Crypto Wallet Credentials