On March 10, 2026, Zoom put out four security bulletins that revealed several weaknesses in its Windows-based client suite This article explores zoom security. . The flaws, which range from High to Critical severity, could let attackers gain higher privileges on affected systems.
One critical flaw could be used by unauthenticated remote attackers who have never accessed the system before. CVE-2026-30903 (ZSB-26005), the most serious vulnerability, is rated as Critical and affects the Mail feature in Zoom Workplace for Windows. The problem is caused by External Control of File Name or Path, which is a flaw that lets an attacker change file references to carry out actions that aren't allowed. An attacker who is not logged in could use this flaw to gain higher privileges on systems that are affected by it over the network.
The CVSS vector shows that the attack doesn't need authentication and can be done from a distance, which makes it the most dangerous of the four disclosures. This affects all versions of Zoom Workplace for Windows that are older than 6.6.0. Weaknesses in Privilege Management and Input Validation Three more The disclosure batch is complete with high-severity vulnerabilities.
CVE-2026-30902 (ZSB-26004) affects Zoom Clients for Windows and is an example of Improper Privilege Management. This means that user privileges that are not set up correctly could be used to get unauthorized higher access. CVE-2026-30901 (ZSB-26003) is a flaw that affects Zoom Rooms for Windows. It is an example of improper input validation, which means that bad or unexpected inputs can cause unintended actions, such as running code or changing privileges.
CVE-2026-30900 (ZSB-26002) affects Zoom Workplace Clients for Windows and is called a "Improper Check" flaw. This means that the verification logic isn't working right, which could let someone get around access controls. In recent cycles, Zoom has consistently fixed similar privilege escalation problems on the Windows side.
For example, in August 2025, they fixed a Critical CVE-2025-49457 (CVSS 9.6) that let unauthorized users gain higher privileges over multiple Windows clients over the network.
CVE ID News The following are the types of product vulnerabilities and their severity levels: CVE-2026-30903 ZSB-26005 Zoom Workplace for Windows External Control of File Name or Path Critical 03/10/2026 CVE-2026-30902 ZSB-26004 Zoom Clients for Windows Improper Privilege Management High CVE-2026-30901 ZSB-26003 Zoom Rooms for Windows on March 10, 2026 High: Input validation is not done correctly 03/10/2026 CVE-2026-30900 ZSB-26002 Zoom Workplace Clients for Windows High Check Not Done 03/10/2026 Mitigations Zoom has released patches that fix all four security holes. Individuals and businesses should do the following right away: Make sure that all copies of Zoom Workplace for Windows are at least version 6.6.0. Update Zoom Rooms for Windows and Zoom Clients for Windows to the latest available build.
Download updates directly from the official Zoom download portal at zoom.us/download.
Put patching endpoints that are actively used by Zoom Workplace at the top of your list, especially in email-heavy or enterprise virtual desktop settings. Check the user privilege settings in Zoom deployments to make the blast radius smaller in case of an attack. Check network traffic for strange patterns of Zoom file access that could mean someone is trying to take advantage of CVE-2026-30903.
Zoom tells all Windows users to install these updates right away because there are no other ways to protect themselves besides upgrading to the patched version. Follow LinkedIn, Twitter, and X for daily cybersecurity updates. Get in touch with us to have your stories featured.
