Zoom Patches CVSS 9.9 Flaw That Let Meeting Participants Run Code

Zoom has patched a near-maximum severity vulnerability in its Multimedia Router infrastructure that allowed meeting participants to execute arbitrary code on affected servers. CVE-2026-22844 scores 9.9 on the CVSS 4.0 scale and affects organizations running Zoom's on-premises meeting infrastructure rather than cloud-hosted deployments.

The company's internal Offensive Security team discovered the flaw and disclosed it Tuesday. No exploitation has been observed in the wild, but the attack surface—any meeting participant on an affected system—makes patching urgent for enterprises running self-hosted Zoom infrastructure.

What Is CVE-2026-22844?

The vulnerability is a command injection flaw in Zoom Node Multimedia Routers (MMRs). These are the on-premises servers that route audio and video for organizations that deploy Zoom Meeting Controller or Zoom Meeting Handler rather than relying on Zoom's cloud infrastructure.

An attacker who joins a meeting hosted on a vulnerable MMR can inject shell commands that execute with elevated privileges on the underlying server. The attack requires network access to the meeting—meaning the attacker needs to be a participant or otherwise have network connectivity to the MMR—but no additional authentication beyond joining the meeting.

Affected components include:

• ZMH (Zoom Meeting Handler) MMR module versions before 5.2.1716.0
• MC (Meeting Controller) MMR module versions before 5.2.1716.0

Organizations running cloud-hosted Zoom deployments are not affected since they don't operate MMR infrastructure.

How the Attack Works

Command injection vulnerabilities arise when applications pass user-controlled input to shell commands without proper sanitization. In this case, some aspect of meeting participant data or meeting signaling passes through a code path that constructs shell commands.

An attacker who gains code execution on an MMR server could:

• Intercept or record meeting traffic passing through the router
• Pivot to internal networks using the MMR's network position
• Modify meeting data in transit
• Use the server as a beachhead for further attacks

The 9.9 CVSS score reflects the low attack complexity, lack of required privileges beyond meeting participation, and critical impact on confidentiality, integrity, and availability.

Who Should Patch

This vulnerability exclusively affects on-premises deployments. If your organization runs Zoom Meeting Controller or Zoom Meeting Handler with self-hosted multimedia routers, you need to update immediately.

To determine if you're affected, check your MMR versions against the patched version 5.2.1716.0. Any earlier version is vulnerable.

Organizations using Zoom's standard cloud service or Zoom Rooms without on-prem MMR infrastructure can disregard this advisory—the vulnerable components don't exist in those deployment models.

GitLab Also Ships Fixes

The same week brought multiple high-severity patches from GitLab addressing denial-of-service and authentication bypass flaws. CVE-2025-13927 and CVE-2025-13928 both score 7.5 and allow unauthenticated users to crash GitLab instances through malformed requests.

More concerning is CVE-2026-0723, a 2FA bypass vulnerability scoring 7.4. Attackers who obtain a victim's credential ID can forge device responses to bypass two-factor authentication entirely. The flaw affects GitLab versions 18.6.0 through 18.6.3, 18.7.0 through 18.7.1, and 18.8.0 through 18.8.1.

GitLab has released patched versions 18.6.4, 18.7.2, and 18.8.2.

Why This Matters

Enterprise video conferencing infrastructure has become a high-value target. Organizations that run on-premises deployments often do so for compliance, data residency, or security reasons—making any compromise of that infrastructure particularly damaging.

The discovery by Zoom's internal security team suggests the company is actively hunting for these vulnerabilities before attackers find them. But the existence of a command injection flaw in production code raises questions about input validation practices in the MMR codebase.

For security teams managing critical infrastructure components, this is a reminder that self-hosted deployments trade cloud provider attack surface for on-premises responsibility. The attack surface doesn't shrink—it shifts.

Administrators running affected infrastructure should prioritize this patch given the 9.9 severity score and the low barrier to exploitation. A meeting participant with malicious intent is the only prerequisite for an attack attempt.