Full Report
Zoom security advisory (AV26-231)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Zoom Clients for Windows (AV26-231)
## CVE Details
*Note: Specific CVE IDs and CVSS scores are typically contained within the sub-links provided by the Cyber Centre. Based on the advisory summary (AV26-231):*
- **CVE ID:** CVE IDs associated with ZSB-26002, ZSB-26003, ZSB-26004, and ZSB-26005 (e.g., CVE-2026-XXXXX).
- **CVSS Score:** Not explicitly listed in the summary, typically ranging from **Medium to High** for these types of flaws.
- **CWE:**
- CWE-73 (External Control of File Name or Path)
- CWE-269 (Improper Privilege Management)
- CWE-20 (Improper Input Validation)
- CWE-358 (Improper Check)
## Affected Systems
- **Products:**
- Zoom Meeting SDK for Windows
- Zoom Rooms for Windows
- Zoom Workplace for Windows
- Zoom Workplace VDI Client for Windows
- **Versions:**
- Meeting SDK for Windows: Prior to 6.6.11
- Zoom Rooms for Windows: Prior to 6.6.5
- Zoom Workplace for Windows: Prior to 6.6.11
- Zoom Workplace VDI Client: Prior to 6.4.17, 6.5.15, and 6.6.10
- **Configurations:** Windows-based installations of the Zoom ecosystem.
## Vulnerability Description
This advisory covers several distinct technical flaws identified in March 2026:
1. **Path Traversal/File Control:** An "External Control of File Name or Path" flaw in the Workplace client could allow an attacker to influence file operations.
2. **Privilege Escalation:** "Improper Privilege Management" in Windows clients may allow a local user to gain elevated permissions.
3. **Input Validation:** Zoom Rooms for Windows fails to properly validate input, which could lead to unexpected execution flow.
4. **Logic Error:** An "Improper Check" in the Workplace client indicates a failure in security policy enforcement or verification steps.
## Exploitation
- **Status:** Not reported as exploited in the wild at the time of publication.
- **Complexity:** Medium (generally requires specific user interaction or local access).
- **Attack Vector:** Local and Network (varying by specific ZSB).
## Impact
- **Confidentiality:** High (Potential unauthorized access to files).
- **Integrity:** High (Potential unauthorized modification of system files or privileges).
- **Availability:** Medium (Potential for application crashes).
## Remediation
### Patches
Users and administrators should update to the following versions or later:
- **Zoom Meeting SDK for Windows:** 6.6.11
- **Zoom Rooms for Windows:** 6.6.5
- **Zoom Workplace for Windows:** 6.6.11
- **Zoom Workplace VDI Client:** 6.4.17, 6.5.15, or 6.6.10 (depending on branch)
### Workarounds
- Ensure the principle of least privilege is applied to standard user accounts to mitigate privilege escalation risks.
- Restrict file-sharing capabilities within the Zoom environment until patches are applied.
## Detection
- **Indicators of Compromise:** Unusual file creation in Zoom application directories; unexpected elevation of local user privileges.
- **Detection methods and tools:** Audit Windows Event Logs for unauthorized service installations or process execution originating from Zoom binaries. Use vulnerability scanners to identify out-of-date Zoom builds.
## References
- **Vendor Advisory (ZSB-26002):** hxxps[://]www[.]zoom[.]com/en/trust/security-bulletin/zsb-26002/
- **Vendor Advisory (ZSB-26003):** hxxps[://]www[.]zoom[.]com/en/trust/security-bulletin/zsb-26003/
- **Vendor Advisory (ZSB-26004):** hxxps[://]www[.]zoom[.]com/en/trust/security-bulletin/zsb-26004/
- **Vendor Advisory (ZSB-26005):** hxxps[://]www[.]zoom[.]com/en/trust/security-bulletin/zsb-26005/
- **Canadian Centre for Cyber Security:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/zoom-security-advisory-av26-231