Skip to content

Zoom Workplace on Windows: CVE-2026-53412 lets a network attacker take an account

Zoom bulletin ZSB-26014 patches CVE-2026-53412, a CVSS 9.8 pre-auth account takeover in Zoom Workplace and the VDI client for Windows. Update to 7.0.0 / 7.0.10 / 6.6.15 / 6.5.18.

Published 5 min read

Zoom shipped an urgent security update for its Windows desktop clients on July 14, 2026 and revised the bulletin one day later. The advisory — ZSB-26014, tracking CVE-2026-53412 — describes an improper input validation flaw that lets an unauthenticated attacker conduct a full account takeover over the network, with no user interaction and low attack complexity. CVSS 9.8. Primary source: the Zoom Trust Center bulletin index at zoom.com/en/trust/security-bulletin, with cross-coverage at BleepingComputer and The Hacker News.

What the bug does

The Zoom advisory describes an improper input validation weakness in the Windows client's handling of data received from Zoom infrastructure. Successful exploitation results in an account takeover — the attacker impersonates the victim on the platform, with access to that account's contacts, meeting history, cloud recordings, and any SSO-linked resources reachable through the account. The published CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — network-reachable, no credentials, no user interaction, complete compromise of confidentiality, integrity, and availability.

Zoom credits its own Offensive Security team with the report.

Affected versions

Per ZSB-26014:

  • Zoom Workplace for Windows — all releases before 7.0.0.
  • Zoom Workplace VDI Client for Windows — before 7.0.10 on the 7.0 branch, 6.6.15 on the 6.6 branch, and 6.5.18 on the 6.5 branch.

The Zoom Meeting SDK for Windows appeared in the initial July 14 bulletin but was removed on July 15, per the vendor's revision note. macOS, Linux, iOS, Android, and web clients are not listed as affected.

Patched versions

  • Zoom Workplace for Windows 7.0.0 or later on the 7.0 branch.
  • Zoom Workplace VDI Client for Windows 7.0.10, 6.6.15, or 6.5.18 depending on which branch you deploy.

Updates ship through the standard zoom.us download portal and via the enterprise MSI installers. There is no vendor-published mitigation short of upgrading — the flaw is in the client's input-handling path and cannot be worked around by tightening account settings.

Exploitation status

Not confirmed in the wild. Zoom's bulletin states that at time of publication the company has no evidence of active exploitation, and no third party — GreyNoise, Mandiant, CISA — has published exploitation telemetry naming CVE-2026-53412 as of writing. Coverage at SecurityAffairs and The Cyber Express mirrors that framing. No public PoC has surfaced.

The absence of exploitation reporting is a snapshot, not a guarantee. A CVSS 9.8, unauthenticated, network-reachable client bug in software installed on tens of millions of Windows endpoints is exactly the profile that gets weaponised within days of disclosure, particularly by initial-access brokers who trade takeovers of enterprise SSO-adjacent accounts.

Action checklist

  1. Inventory Windows Zoom installs by branch and version today. Endpoint management (Intune, JAMF-for-Windows, Workspace ONE, or plain SCCM) can pull HKLM\Software\Zoom\ZoomClient and the DisplayVersion string. Anything below 7.0.0 on the desktop client, or below 7.0.10 / 6.6.15 / 6.5.18 on the VDI client, is vulnerable.
  2. Force-push 7.0.0 (or the matching VDI patch) via your endpoint tooling. The enterprise MSI on Zoom's IT admin page carries the fixed builds. Do not rely on the user-space auto-updater — it silently skips machines where the user does not have local admin, which in most managed fleets is the default posture.
  3. VDI operators — plan for a two-side upgrade window. The VDI client sits on the user's endpoint; the Zoom VDI plugin (a separate component) sits inside the virtual desktop image. Both should be kept aligned. Confirm your image build pipeline picks up the fixed branch before the next golden-image bake.
  4. Rotate SSO sessions for any account that used the vulnerable client in the last 30 days. Because the impact is impersonation, not code execution on the endpoint, session invalidation at the identity-provider layer (Okta, Entra ID, Google Workspace) is what actually closes the door on a takeover that predates the patch. Force-refresh Zoom OAuth tokens in the admin console the same day.
  5. Watch the Zoom sign-in log for anomalous MFA prompts on accounts that have not yet upgraded. Zoom Trust Center exposes sign-in geography and device fingerprint in the account log — a takeover attempt against an unpatched client will typically surface as an unrecognised device pairing before it consolidates the session.

Context

The July 14 batch of Zoom bulletins covered four CVEs in total. Alongside CVE-2026-53412, Zoom disclosed:

  • CVE-2026-53411 — improper input validation in the Zoom VDI Plugin (Windows).
  • CVE-2026-53410 — TOCTOU race condition during Zoom client install/uninstall on Windows, allowing local privilege escalation.
  • CVE-2026-53409 — improper privilege management in Zoom Rooms.

Only CVE-2026-53412 hits CVSS 9.8; the other three are high-severity but require either local access or pre-existing conditions. The pattern — a critical, unauthenticated client-side bug shipped alongside a bundle of local escalation flaws — matches the shape of Zoom's previous large bulletin releases in March 2026 (CVE-2026-4183) and August 2025 (CVE-2025-49463). Both of those were similar improper-input-validation bugs against the Windows client. For a client codebase this widely deployed, this cadence is now the expected weather, not a surprise.

That's the second aspect worth flagging: Zoom's Windows client remains the recurring locus for these bugs. macOS, Linux, and mobile builds have received far fewer critical CVEs on the same intake. Fleets standardised on Zoom-on-Windows should treat the client as a monthly-patch-cycle target, not an application that "just updates itself."

Related stories