Skip to main content

Remote Control for Zoom Contact Center CVE-2026-53406

| EUVDEUVD-2026-36521 HIGH
Insufficient Verification of Data Authenticity (CWE-345)
2026-06-12 Zoom GHSA-789h-4f4q-2gq6
7.8
CVSS 3.1 · Vendor: Zoom
Share

Severity by source

Vendor (Zoom) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local privilege escalation requiring an existing low-privileged authenticated session on the Windows host (AV:L, PR:L), no user interaction, and yielding full CIA impact via SYSTEM-level code execution.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Zoom).

CVSS VectorVendor: Zoom

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 12, 2026 - 19:01 EUVD
Analysis Generated
Jun 12, 2026 - 18:18 vuln.today
CVE Published
Jun 12, 2026 - 17:52 cve.org
HIGH 7.8

DescriptionCVE.org

Insufficient Verification of Data Authenticity in Remote Control for Zoom Contact Center for Windows before version 7.0.0 may allow an authenticated user to enable an escalation of privilege via local access.

AnalysisAI

Local privilege escalation in Remote Control for Zoom Contact Center for Windows prior to version 7.0.0 allows an authenticated user with local access to elevate privileges due to insufficient verification of data authenticity. The flaw, reported by Zoom and tracked in bulletin ZSB-26009, carries a CVSS 3.1 base score of 7.8 (High) with no public exploit identified at time of analysis. Exploitation requires existing local authenticated access, which limits opportunistic abuse but makes this a strong post-compromise pivot on workstations running the Zoom Contact Center remote control component.

Technical ContextAI

The vulnerability resides in the Windows build of the Remote Control feature shipped with Zoom Contact Center, an agent-side desktop component used to facilitate remote assistance and screen-control sessions within Zoom's contact center workflows. The root cause is CWE-345 (Insufficient Verification of Data Authenticity), meaning the application accepts data - likely commands, configuration input, IPC messages, or update artifacts - without sufficiently validating their origin or integrity. On Windows endpoints where this component runs with elevated rights or as a privileged service, an unprivileged local process can supply crafted data that the trusted component acts upon, resulting in privilege escalation. The affected CPE is cpe:2.3:a:zoom_communications:remote_control_for_zoom_contact_center, scoped to versions before 7.0.0.

RemediationAI

Vendor-released patch: upgrade Remote Control for Zoom Contact Center for Windows to version 7.0.0 or later, per Zoom security bulletin ZSB-26009 (https://www.zoom.com/en/trust/security-bulletin/zsb-26009). Where immediate patching is not possible, compensating controls include restricting interactive logon and local accounts on contact-center agent workstations to trusted personnel only, applying application allow-listing (e.g., Windows Defender Application Control or AppLocker) to block untrusted binaries that could supply crafted input to the trusted component, and using EDR to monitor for unexpected child processes or token manipulation originating from the Zoom remote control process - noting these reduce but do not eliminate exploitability and may add operational friction for legitimate agent tooling. Temporarily disabling or uninstalling the Remote Control component on hosts that do not require it is the strongest mitigation, at the cost of losing remote-assist functionality for those agents.

Share

CVE-2026-53406 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy