Alerts

Critical Zoom Flaw Allows Meeting Participants to Execute Code on Enterprise Servers (CVE-2026-22844)

Zero Day Wire

1 min read
Share
Critical Zoom Flaw Allows Meeting Participants to Execute Code on Enterprise Servers (CVE-2026-22844)

Zoom has disclosed a critical command injection vulnerability affecting its enterprise hybrid meeting infrastructure that could allow a meeting participant to execute arbitrary code on backend servers.

The vulnerability, tracked as CVE-2026-22844, carries a CVSS score of 9.9 and affects Zoom Node Multimedia Routers (MMRs)—the components responsible for processing audio and video streams in Zoom's on-premises architecture.

What's Affected

The flaw impacts organizations running Zoom's hybrid or self-hosted meeting infrastructure:

  • Zoom Node Meetings Hybrid (ZMH) MMR module versions prior to 5.2.1716.0
  • Zoom Node Meeting Connector (MC) MMR module versions prior to 5.2.1716.0

Standard Zoom cloud users are not affected. The vulnerability specifically targets enterprises that deploy Zoom Node for on-premises meeting routing.

Technical Details

The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) indicates:

  • Network exploitable with low attack complexity
  • Low privileges required - a meeting participant can trigger it
  • No user interaction needed
  • Scope changed - compromise extends beyond the vulnerable component
  • High impact to confidentiality, integrity, and availability

The "scope changed" designation is particularly concerning, as it means successful exploitation could allow attackers to pivot from the MMR to other systems in the network.

Why It Matters

Organizations deploy Zoom Node infrastructure specifically to keep meeting traffic on-premises for security, compliance, or performance reasons. The irony of a critical RCE vulnerability in this security-conscious deployment model is not lost.

Any authenticated meeting participant—potentially including external guests—could exploit this flaw to compromise the MMR server, potentially gaining a foothold in the enterprise network.

Remediation

Administrators running Zoom Node deployments should update immediately to MMR version 5.2.1716.0 or later. Zoom provides update instructions in its Managing Updates for Zoom Node support documentation.

The vulnerability was discovered internally by Zoom's Offensive Security team.

Read more

Nx Console VS Code Extension Compromised — 2.2 Million Installs Exposed to Credential Stealer With Sigstore Supply Chain Poisoning Capability

Nx Console VS Code Extension Compromised — 2.2 Million Installs Exposed to Credential Stealer With Sigstore Supply Chain Poisoning Capability

A compromised version of the Nx Console extension — a popular VS Code plugin with over 2.2 million installations — was published to the Visual Studio Code Marketplace after an attacker leveraged stolen developer credentials to inject a multi-stage credential stealer into the official nrwl/nx GitHub repository. The malicious version

By Zero Day Wire
Pre-Stuxnet Sabotage Malware Fast16 Confirmed as Nuclear Weapons Simulation Tampering Tool Dating Back to 2005

Pre-Stuxnet Sabotage Malware Fast16 Confirmed as Nuclear Weapons Simulation Tampering Tool Dating Back to 2005

Symantec and Carbon Black have published a definitive analysis confirming that Fast16, a Lua-based malware framework first surfaced by SentinelOne weeks ago, was purpose-built to sabotage nuclear weapons testing simulations. The findings establish Fast16 as the earliest known cyber sabotage tool targeting nuclear weapons research — predating the first known version

By Zero Day Wire