Skip to main content

Zoom Workplace VDI Plugin CVE-2026-30905

| EUVDEUVD-2026-30111 HIGH
External Control of File Name or Path (CWE-73)
2026-05-13 Zoom GHSA-xg43-qr5w-q4jr
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jun 08, 2026 - 08:39 vuln.today
Patch available
May 13, 2026 - 20:02 EUVD
CVE Published
May 13, 2026 - 18:00 nvd
HIGH 7.8

DescriptionCVE.org

External Control of File Name or Path in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 may allow an authenticated user to conduct an escalation of privilege via local access.

AnalysisAI

Local privilege escalation in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 allows an authenticated low-privileged user to elevate to higher privileges through external control of a file name or path during installation routines. The flaw was reported by Zoom and carries CVSS 7.8 with total technical impact, though no public exploit identified at time of analysis and EPSS sits at 0.01%. SSVC indicates exploitation status 'none' and the attack is not automatable, marking this as a patch-on-schedule rather than emergency item.

Technical ContextAI

The Zoom Workplace VDI Plugin is a Windows-side companion installed on virtual desktop endpoints to offload Zoom media processing from the VDI session to the local client, commonly deployed in Citrix, VMware Horizon, and Azure Virtual Desktop environments. The root cause class is CWE-73 (External Control of File Name or Path), meaning the installer accepts or constructs a filesystem path using input that an unprivileged caller can influence, allowing the privileged installer process to read, write, or execute files at attacker-chosen locations. In Windows installer contexts this commonly manifests as MSI custom actions, repair/rollback operations, or service helpers that resolve paths under user-writable directories while running as SYSTEM, enabling DLL planting, arbitrary file overwrite, or symbolic-link redirection to achieve code execution in a privileged context. The affected CPE is cpe:2.3:a:zoom_communications:zoom_workplace_vdi_plugin covering all versions prior to 6.6.11 on Windows.

RemediationAI

Vendor-released patch: 6.6.11 - upgrade the Zoom Workplace VDI Plugin Windows Universal Installer to 6.6.11 or later on every VDI endpoint and golden image, per Zoom Security Bulletin ZSB-26007 (https://www.zoom.com/en/trust/security-bulletin/zsb-26007). Because installer-time flaws are typically only triggerable during install, repair, or upgrade flows, prioritize image rebuilds and pushed upgrades via SCCM/Intune/Workspace ONE rather than relying on user-initiated updates. As compensating controls until the patched build is deployed, restrict who can invoke the installer or MSI repair on shared VDI hosts (remove standard users from any group permitted to run msiexec repair on this product), block writes to predictable temp/install paths used by the installer through AppLocker or WDAC file-path rules (trade-off: may break legitimate updates and require allowlist tuning), and monitor for unexpected child processes or file writes spawned by the Zoom installer running as SYSTEM. Avoid leaving older plugin versions installed on persistent VDI golden images even if the runtime is uninstalled, since installer remnants can remain exploitable.

Share

CVE-2026-30905 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy