Zoom patches Windows and iOS flaws that can expose systems to privilege escalation
5 min. read 
Published on
Zoom has patched three security vulnerabilities affecting Zoom Rooms for Windows, the Zoom Workplace VDI Plugin for Windows, and Zoom Workplace for iOS.
The two most serious flaws affect Windows installers and can allow a local authenticated attacker to escalate privileges on a vulnerable device. The third issue affects the iOS app and can expose information if an attacker has physical access to the device.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Zoom published all three advisories on May 12, 2026, and recommends that users install the latest available updates from the official Zoom download page.
Zoom vulnerabilities at a glance
| CVE | Product | Severity | Impact | Affected versions |
|---|---|---|---|---|
| CVE-2026-30906 | Zoom Rooms for Windows | High | Local privilege escalation | Before 7.0.0 |
| CVE-2026-30905 | Zoom Workplace VDI Plugin for Windows | High | Local privilege escalation | Version 6.6.10 |
| CVE-2026-30904 | Zoom Workplace for iOS | Low | Information disclosure | Before 7.0.0 |
Zoom Rooms for Windows flaw carries high severity
CVE-2026-30906 affects the installer for Zoom Rooms for Windows before version 7.0.0. Zoom rates the vulnerability High with a CVSS score of 7.8.
The flaw involves an untrusted search path. This type of weakness can allow local attackers to influence where software looks for files during installation or execution.
Zoom says an authenticated user could exploit the issue through local access to escalate privileges. Security researcher sim0nsecurity reported the vulnerability to Zoom.
Zoom Workplace VDI Plugin also gets a high-severity fix
CVE-2026-30905 affects the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11. Zoom lists version 6.6.10 as affected.
The issue involves external control of a file name or path. A local authenticated attacker could abuse the installer behavior to escalate privileges on the affected system.
Zoom also rates this vulnerability High with a CVSS score of 7.8. The issue was reported by sim0nsecurity, the same researcher credited for the Zoom Rooms for Windows flaw.
Zoom Workplace for iOS flaw has lower risk
CVE-2026-30904 affects Zoom Workplace for iOS before version 7.0.0. Zoom rates it Low with a CVSS score of 1.8.
The vulnerability involves a protection mechanism failure. Zoom says an authenticated user could exploit the issue to disclose information through physical access.
This makes the iOS issue less urgent than the two Windows flaws. However, organizations that manage mobile fleets should still update affected iPhones and iPads as part of regular patching.
Why local privilege escalation still matters
Local privilege escalation vulnerabilities do not usually provide initial access by themselves. An attacker first needs a foothold on the device or a valid low-privilege account.
Once that access exists, privilege escalation can become dangerous. It can help attackers gain deeper control, disable defenses, access protected files, or move closer to administrator-level permissions.
This is why Windows installer vulnerabilities remain important in enterprise environments. Attackers often chain them with phishing, stolen credentials, malware, or exposed remote access systems.
Who should update first
- Organizations using Zoom Rooms for Windows should update those systems to version 7.0.0 or later.
- Teams using Zoom Workplace VDI Plugin 6.6.10 for Windows should upgrade to 6.6.11 or later.
- Mobile device management teams should update Zoom Workplace for iOS to version 7.0.0 or later.
- IT teams should review shared Windows devices, conference room systems, and VDI endpoints first.
- Admins should limit local user permissions on devices that run Zoom installers or meeting room software.
What administrators should check
Admins should confirm which Zoom products run across meeting rooms, Windows endpoints, VDI environments, and managed iOS devices.
They should also check whether local users can run installers or modify directories used by installers. Reducing unnecessary local permissions can lower the risk from similar bugs.
For managed environments, patch deployment should go through normal endpoint management, VDI image update, and mobile device management workflows.
Recommended response
| Environment | Recommended action |
|---|---|
| Zoom Rooms for Windows | Update to version 7.0.0 or later |
| Zoom Workplace VDI Plugin for Windows | Update to version 6.6.11 or later |
| Zoom Workplace for iOS | Update to version 7.0.0 or later |
| Shared Windows devices | Review local user rights and installer access |
| Enterprise fleets | Deploy updates through endpoint management and MDM tools |
The bottom line
Zoom’s latest security updates fix two Windows vulnerabilities that can help authenticated local attackers escalate privileges. They also fix a lower-risk iOS information disclosure issue.
The Windows flaws deserve the most attention because they affect installers and carry High severity ratings. Conference room PCs, VDI environments, and shared endpoints should receive early review.
Users and administrators should install the latest Zoom updates and keep local permissions tightly controlled across managed devices.
FAQ
Yes. Zoom says CVE-2026-30905 affects Zoom Workplace VDI Plugin version 6.6.10 for Windows.
No. Zoom says CVE-2026-30906 affects Zoom Rooms for Windows before version 7.0.0.
The two Windows vulnerabilities are the most serious. Both are rated High and can allow local authenticated privilege escalation.
Zoom patched CVE-2026-30906, CVE-2026-30905, and CVE-2026-30904 across Zoom Rooms for Windows, Zoom Workplace VDI Plugin for Windows, and Zoom Workplace for iOS.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages