Zoom has issued urgent security patches addressing three high-severity vulnerabilities across its Workplace mobile apps and Contact Center for Windows, with CVSS scores reaching 8.1, exposing millions of enterprise users to unauthenticated privilege escalation and local system takeover.
On June 9, 2026, Zoom published two security bulletins, ZSB-26010 and ZSB-26009, disclosing a total of three CVEs affecting Zoom Workplace for Android and iOS, Zoom Meeting SDK, and the Remote Control component of Zoom Contact Center for Windows.
The flaws were independently reported by security researchers Dimitrios Valsamaras (ZSB-26010) and sim0nsecurity (ZSB-26009), highlighting active community-driven bug discovery in the Zoom ecosystem. All three vulnerabilities are rated High severity and remain unconfirmed as exploited in the wild as of the publication date.
The most critical pair of flaws tracked as CVE-2026-53407 and CVE-2026-53408 stem from CWE-939 Improper Authorization in Handler for Custom URL Scheme, a class of vulnerability where a mobile application implements a custom URI scheme handler but fails to validate which applications or external sources are permitted to invoke it.
In Zoom’s case, this flaw affects Zoom Workplace for Android (before version 7.0.4) and iOS (before version 7.0.3), as well as the Zoom Meeting SDK for both platforms before the same respective versions.
The attack scenario is particularly alarming: an unauthenticated attacker operating over the network can craft a malicious URI-scheme invocation that tricks the Zoom Workplace client into executing privileged actions without requiring any credentials.
Because the Attack Complexity is rated Low and no Privileges Required, the barrier for exploitation is minimal. Any attacker on a shared network, a public Wi-Fi hotspot, or operating via a compromised website capable of launching deep links could potentially weaponize this flaw.
Successful exploitation results in a high impact on confidentiality and integrity, meaning sensitive meeting data, session tokens, and user credentials stored within the app context could be compromised or manipulated.
Custom URL scheme abuse has a well-documented history in mobile security research. OWASP’s Mobile Application Security Testing Guide explicitly identifies URI scheme handlers as significant attack vectors, emphasizing the need to validate all URL parameters and restrict invocation to trusted sources.
Without those controls, attackers can intercept, forge, or hijack deep-link-triggered operations inside the target app, precisely what these two CVEs describe.
Affected Products:
- Zoom Workplace for Android — before version 7.0.4
- Zoom Workplace for iOS — before version 7.0.3
- Zoom Meeting SDK for Android — before version 7.0.4
- Zoom Meeting SDK for iOS — before version 7.0.3
The second bulletin covers CVE-2026-53406, which is rooted in CWE-345 Insufficient Verification of Data Authenticity, and affects the Remote Control feature of Zoom Contact Center for Windows before version 7.0.0.
Unlike the mobile flaws, this is a local privilege escalation (LPE) vulnerability: an authenticated user with low-level privileges can exploit it without user interaction to gain elevated system privileges, resulting in full confidentiality, integrity, and availability impacts on the compromised host.
The CVSS vector indicates that Attack Complexity is Low and that no User Interaction is required, meaning an insider threat actor, a compromised service account, or malware already present on a system running Zoom Contact Center could immediately exploit this flaw to escalate to SYSTEM-level privileges.
With full availability impact (A:H) included, ransomware or other destructive payloads could execute with elevated privileges post-exploitation.
The vulnerability was flagged under EUVD-2026-36521 and verified by multiple threat intelligence platforms, including Feedly and OpenCVE.
This disclosure follows a broader pattern of Zoom local privilege escalation vulnerabilities in its Windows ecosystem. Zoom patched CVE-2026-30902 (CVSS 7.8) for improper privilege management in Windows clients.
The critical CVE-2026-30903 (CVSS 9.6) involving external file path control in the Mail feature, indicating that Zoom’s Windows-based contact center components have been under sustained security scrutiny.
Affected Product:
- Remote Control for Zoom Contact Center for Windows before version 7.0.0
Mitigation
Zoom has released patches for all three vulnerabilities. Organizations and individual users should act immediately:
- Update Zoom Workplace for Android to version 7.0.4 or later
- Update Zoom Workplace for iOS to version 7.0.3 or later
- Update Zoom Meeting SDK (Android/iOS) to the same respective patched versions
- Update Remote Control for Zoom Contact Center for Windows to version 7.0.0 or later
- Download all updates from the official Zoom download portal at https://zoom.us/download
- Enterprise administrators should audit deployed Zoom SDK versions in third-party apps built on Zoom’s Meeting SDK platform, as those integrations inherit the same vulnerability surface
- Network administrators should consider restricting deep-link and custom URI invocations from untrusted sources at the MDM/MAM layer until devices are confirmed as patched
| CVE | Reported By | Published | Bulletin |
|---|---|---|---|
| CVE-2026-53407 | Dimitrios Valsamaras | June 9, 2026 | ZSB-26010 |
| CVE-2026-53408 | Dimitrios Valsamaras | June 9, 2026 | ZSB-26010 |
| CVE-2026-53406 | sim0nsecurity | June 9, 2026 | ZSB-26009 |
FAQ
Q1: What is CVE-2026-53407 and CVE-2026-53408?
These are high-severity (CVSS 8.1) improper authorization flaws in Zoom Workplace’s custom URL scheme handler for Android and iOS, enabling unauthenticated privilege escalation via network access.
Q2: Who is affected by the Zoom Contact Center vulnerability CVE-2026-53406?
Any organization running Remote Control for Zoom Contact Center for Windows before version 7.0.0 is at risk of local privilege escalation by an authenticated low-privilege user.
Q3: Are these Zoom vulnerabilities actively exploited in the wild?
As of June 13, 2026, no public proof-of-concept exploit or confirmed in-the-wild exploitation has been reported for any of the three CVEs.
Q4: How do I fix the Zoom Workplace mobile vulnerability immediately?
Update Zoom Workplace to version 7.0.4 on Android and 7.0.3 on iOS via the official Zoom download page.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
