Zoom has released security updates for a critical security flaw impacting Zoom Workplace for Windows that could facilitate account takeover.
The vulnerability, tracked as CVE-2026-53412 (CVSS score: 9.8), affects Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows.
“Improper Input Validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows may allow an unauthenticated user to conduct an account takeover via network access,” Zoom said in an advisory released this week.
The latest security fixes also address three high-severity flaws –
- CVE-2026-53411 (CVSS score: 7.8) – An improper input validation vulnerability in the Zoom Workplace VDI Plugin for Windows before version 6.6.14 that may allow an authenticated user to conduct an escalation of privilege via local access.
- CVE-2026-53410 (CVSS score: 7.0) – A time-of-check to time-of-use (TOCTOU) race condition vulnerability in the installation and uninstallation process of certain Zoom Clients for Windows that could allow an authenticated local user to escalate privileges.
- CVE-2026-53409 (CVSS score: 7.8) – An improper privilege management vulnerability in Zoom Rooms for Windows before version 7.1.0 that may allow an authenticated user to conduct an escalation of privilege via local access.
It’s worth noting that CVE-2026-53410 affects the following products –
- Zoom Workplace for Windows before version 7.0.5
- Zoom Workplace VDI Client for Windows before 6.5.17 and 6.6.14 in their respective branch
- Zoom Workplace VDI plugin for Windows before 6.5.17 and 6.6.14 in their respective branch
- Zoom Rooms for Windows before 7.0.5
- Remote Control for Zoom Contact Center for Windows before version 7.0.0
As of writing, there are no indications that any of the flaws are being exploited in real-world attacks. Users can stay protected by applying the latest updates.