Skip to main content
TechnologyJul 16, 2026· 2 min read

Vulnerability in Zoom for Windows: Account Compromised Remotely, Without Password or Interaction

Zoom has classified a vulnerability in its Windows client as critical, allowing an attacker to take control of a user's account without needing authentication. The flaw, identified as CVE-2026-53412, has received a CVSS score of 9.8 out of 10, just below the theoretical maximum, and affects a vast user base: Zoom Workplace for Windows is installed on millions of devices among individuals and organizations.

According to the bulletin ZSB-26014, the vulnerability arises from inadequate validation of incoming data and enables an unauthenticated user to take control of an account remotely. The CVSS vector published by Zoom (AV:N/AC:L/PR:N/UI:N) provides more details than just the score: the attack comes from a distance, requires no pre-existing privileges, and, notably, does not need any interaction from the victim. These conditions turn a validation error into a concrete risk.

Zoom has not released technical details about the mechanism, limiting its description of the issue to an input validation error. The vulnerability was identified internally by the Zoom Offensive Security team, and currently, there are no indications of exploitation in real attacks.

The affected versions are Zoom Workplace for Windows versions prior to 7.0.0, the Meeting SDK for Windows also before 7.0.0, and the VDI client for Windows, where the corrected releases vary by branch: 7.0.10, 6.6.15, and 6.5.18. The fix involves updating to the latest available version, which Zoom urges users to download from their official portal.

Other Vulnerabilities Fixed in the Same Cycle

The same patch cycle addresses three other issues of high but lower severity, all of which can only be exploited by an already authenticated user with local access to the machine. CVE-2026-53410 is a TOCTOU (time-of-check to time-of-use) race condition that, during installation or uninstallation, opens up a privilege escalation; this affects Zoom Workplace, the client, and VDI plugin, Zoom Rooms for Windows, and Remote Control for Zoom Contact Center.

CVE-2026-53409 involves improper privilege management in Zoom Rooms for Windows versions prior to 7.1.0, while CVE-2026-53411 is another case of inadequate input validation, confined to the VDI plugin for Windows prior to 6.6.14. In both cases, an authenticated local user can elevate their privileges.

The profile of CVE-2026-53412 leaves no room for delay: a remote account takeover on software installed almost everywhere needs to be addressed without hesitation. Updating to the latest release of the client remains the only mitigation indicated by the company.