Zoom has released security updates to fix a critical vulnerability in its Windows software that could allow attackers to take over user accounts without requiring authentication.
The flaw, tracked as CVE-2026-53412, was discovered internally by Zoom and assigned a CVSS severity score of 9.8 out of 10, making it one of the most serious security issues affecting the company’s desktop software.
According to Zoom, the vulnerability impacts Zoom Workplace for Windows before version 7.0.0, the Windows VDI Client before versions 7.0.10, 6.6.15, and 6.5.18, and the Zoom Meeting SDK for Windows before version 7.0.0.
Zoom Workplace, formerly known simply as Zoom, is the company’s collaboration platform that includes video conferencing, team chat, VoIP calling, email, calendars, document collaboration, whiteboards, and AI-powered productivity tools. The Windows desktop application is widely used by millions of individuals and organizations around the world.
The company described the vulnerability as an improper input validation issue that could allow an unauthenticated attacker to perform an account takeover over a network. Zoom has not released technical details about the flaw, likely to reduce the risk of exploitation before users install the available security updates.
In addition to the critical vulnerability, Zoom also patched three other high-severity security flaws. These include CVE-2026-53410, a time-of-check to time-of-use (TOCTOU) race condition that could allow a local authenticated user to gain elevated privileges during software installation or removal; CVE-2026-53409, an improper privilege management issue affecting Zoom Rooms for Windows that could enable local privilege escalation; and CVE-2026-53411, an improper input validation flaw in the Zoom Workplace VDI Plugin for Windows that could also allow authenticated users with local access to elevate privileges.
Zoom recommends that all Windows users update to the latest available versions of its software as soon as possible to protect against these vulnerabilities.
At the time of disclosure, there is no evidence that any of the newly patched vulnerabilities have been exploited in real-world attacks.





