CVE-2026-30900
📋 TL;DR
This vulnerability in Zoom Clients for Windows allows authenticated local users to escalate privileges by exploiting improper minimum version checks during updates. Attackers could gain elevated system access on affected Windows machines. Only Windows Zoom clients with specific vulnerable versions are impacted.
💻 Affected Systems
- Zoom Client for Windows
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local authenticated attacker gains SYSTEM/administrator privileges, enabling complete system compromise, persistence installation, and lateral movement capabilities.
Likely Case
Malicious insider or compromised user account escalates to admin rights, allowing installation of malware, data theft, or credential harvesting.
If Mitigated
With proper patch management and least privilege controls, impact limited to isolated workstation compromise without lateral movement.
🎯 Exploit Status
Exploitation requires local authenticated access. CWE-754 indicates improper check for exceptional conditions during update process.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version specified in ZSB-26002 advisory
Vendor Advisory: https://www.zoom.com/en/trust/security-bulletin/zsb-26002
Restart Required: Yes
Instructions:
1. Open Zoom client. 2. Click profile picture → Check for Updates. 3. Install available update. 4. Restart Zoom client. 5. Verify version matches patched version from advisory.
🔧 Temporary Workarounds
Disable local user installation rights
windowsRestrict standard users from running Zoom installer or update processes with elevated privileges
Use Group Policy: Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → User Rights Assignment
Implement application whitelisting
windowsPrevent unauthorized Zoom update processes from executing with elevated privileges
Use AppLocker or Windows Defender Application Control to restrict Zoom update executables
🧯 If You Can't Patch
- Implement strict least privilege: Ensure standard users cannot run processes with administrative rights
- Monitor for suspicious Zoom update processes running with elevated privileges
🔍 How to Verify
Check if Vulnerable:
Check Zoom client version against vulnerable versions listed in ZSB-26002 advisoryCheck Version:
In Zoom client: Click profile picture → About Zoom, or check installed programs in Windows Control PanelVerify Fix Applied:
Confirm Zoom client version matches or exceeds patched version from advisory📡 Detection & Monitoring
Log Indicators:
- Zoom update processes running with SYSTEM or admin privileges
- Unexpected privilege escalation events in Windows Security logs
- Zoom installer execution by non-admin users
Network Indicators:
- Zoom update traffic from non-standard user accounts
- Unusual outbound connections following local Zoom process execution
SIEM Query:
EventID=4688 AND ProcessName LIKE '%zoom%' AND SubjectUserName!=SYSTEM AND NewProcessName CONTAINS 'install' OR 'update'