Critical Zoom Vulnerability Exposes Systems to Remote Code Execution
A critical security flaw has been identified in Zoom’s Node Multimedia Routers (MMRs), potentially allowing meeting participants to execute arbitrary code on affected systems. This vulnerability, designated as CVE-2026-22844, has been assigned a CVSS severity score of 9.9, underscoring its critical nature and the immediate need for remediation.
Understanding the Vulnerability
The command injection vulnerability is present in Zoom Node MMR versions prior to 5.2.1716.0. It impacts two primary deployment scenarios: Zoom Node Meetings Hybrid (ZMH) and Zoom Node Meeting Connector (MC) environments. Exploitation of this flaw requires only network access and low-level privileges, with no user interaction necessary.
Technical Details
– CVE ID: CVE-2026-22844
– Bulletin: ZSB-26001
– CVSS Score: 9.9 (Critical)
– Attack Vector: Network
– Flaw Type: Command Injection
An attacker with valid meeting participant credentials could exploit this vulnerability to achieve remote code execution directly on the MMR infrastructure. The criticality of this flaw is due to its network-accessible vector and its potential to compromise the entire system. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indicating high impact across confidentiality, integrity, and availability. This means attackers could steal data, modify system configurations, and disrupt services simultaneously.
Impacted Systems
Organizations operating Zoom Node Meetings, Hybrid, or Meeting Connector deployments are at immediate risk. The vulnerability specifically targets MMR modules running versions before 5.2.1716.0. Identifying the current version and applying patches are primary mitigation steps. Zoom has credited its Offensive Security team with discovering this vulnerability.
Recommended Actions
Zoom strongly advises administrators to update affected MMR modules to version 5.2.1716.0 or later without delay. The company has provided detailed guidance through its Managing Updates for Zoom Node support documentation, offering step-by-step instructions for deploying patches across Zoom Node infrastructure.
Organizations should prioritize this update as critical, treating it with the same urgency as responses to zero-day vulnerabilities. Given the vulnerability’s low attack complexity and requirement for only basic participant-level access, the risk of exploitation is substantial in real-world environments.
Broader Context
This vulnerability is part of a concerning trend of command injection flaws affecting various platforms. For instance, similar vulnerabilities have been identified in SonicWall SMA100 appliances (CVE-2023-44221) and FortiSandbox analysis appliances (CVE-2025-53949), both allowing remote code execution. These incidents highlight the critical need for organizations to maintain vigilant patch management and robust security protocols.
Conclusion
The discovery of CVE-2026-22844 in Zoom’s MMR infrastructure underscores the importance of proactive cybersecurity measures. Organizations utilizing Zoom Node deployments must immediately verify their current MMR versions and apply the necessary patches without delay. Given the critical severity rating and ease of exploitation, this vulnerability represents a substantial security risk requiring urgent attention across all affected environments.
