Security/ security · zoom · vulnerabilities · windows

Zoom Fixes Critical Account-Takeover Bug in Windows Clients

A 9.8-severity input validation flaw in Zoom's Windows desktop client and VDI products could have let attackers hijack accounts remotely.

Zoom has patched a critical remote account-takeover vulnerability affecting several of its Windows products.

The bug, tracked as CVE-2026-53412 and scored 9.8 out of 10, stems from improper input validation in Zoom Desktop Client for Windows before version 7.0.0, Zoom Meeting SDK for Windows before 7.0.0, and Zoom VDI Client for Windows before versions 7.0.10, 6.6.15, and 6.5.18. Zoom's advisory offers no technical detail on how the flaw could be triggered, which is standard practice when patches are fresh. The company says all four vulnerabilities described in the advisory were found internally and have not been exploited in the wild.

Three additional high-severity bugs round out the patch batch. CVE-2026-53410, a TOCTOU race condition scored 7.0, hits Zoom Workplace for Windows before 7.0.5, VDI Client and VDI Plugin before 6.5.17 and 6.6.14, Zoom Rooms for Windows before 7.0.5, and Remote Control for Zoom Contact Center before 7.0.0. CVE-2026-53409, an improper privilege management flaw, affects Zoom Rooms for Windows before 7.1.0. CVE-2026-53411, another input validation issue, targets the Zoom Workplace VDI Plugin for Windows before 6.6.14. Defenders running VDI or Rooms deployments have the most specific version thresholds to check.

For a platform that spent 2020 and 2021 under a microscope for security missteps — end-to-end encryption that wasn't, Zoombombing, routing calls through China — self-reporting a near-perfect-score flaw before anyone exploits it is the kind of boring-good headline Zoom's security team probably prefers.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →