Skip to main content

Zoom VDI Plugin CVE-2026-53411

| EUVDEUVD-2026-45046 HIGH
Improper Input Validation (CWE-20)
2026-07-16 Zoom GHSA-58pc-566f-r6jx
7.8
CVSS 3.1 · Vendor: Zoom
Share

Severity by source

Vendor (Zoom) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.0 HIGH

Local authenticated user (AV:L/PR:L) must win a TOCTOU timing window (AC:H, raised from vendor AC:L); success yields SYSTEM-level control, so C/I/A all High.

3.1 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Zoom).

CVSS VectorVendor: Zoom

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jul 16, 2026 - 23:03 EUVD
Analysis Generated
Jul 16, 2026 - 22:00 vuln.today
CVE Published
Jul 16, 2026 - 21:13 cve.org
HIGH 7.8

DescriptionCVE.org

A time-of-check to time-of-use (TOCTOU) race condition in the installation and uninstallation process of certain Zoom Clients for Windows could allow an authenticated local user to escalate privileges.

AnalysisAI

Local privilege escalation in the Zoom Workplace VDI Plugin for Windows lets an authenticated local user win a time-of-check to time-of-use (TOCTOU) race during the plugin's install/uninstall routine to gain higher privileges (per CVSS, full confidentiality, integrity, and availability impact). The flaw was self-reported by Zoom (bulletin ZSB-26013) and carries a CVSS 3.1 base score of 7.8; no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as local user on Windows VDI host
Delivery
Trigger plugin install/uninstall routine
Exploit
Win TOCTOU race on validated file/path
Execution
Redirect privileged operation to attacker target
Persist
Execute code as SYSTEM
Impact
Escalate to full host control

Vulnerability AssessmentAI

Exploitation Requires an already-authenticated local user with the ability to trigger or coincide with the Zoom Workplace VDI Plugin's installation or uninstallation process on a Windows host, and the attacker must win the TOCTOU timing window between the installer's check and use of a resource. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 7.8 High) describes a local, low-privilege, no-user-interaction attack with full impact - a credible privilege-escalation primitive on affected hosts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A logged-in standard user on a Windows VDI host launches or triggers the Zoom VDI Plugin install/uninstall routine and, while the privileged installer validates then acts on a file or path, swaps that target (e.g., via a symbolic link or rapid file replacement) so the SYSTEM-level operation writes or executes attacker-controlled content, yielding SYSTEM privileges. The attack is entirely local and needs no user interaction from a victim; no public exploit is identified at time of analysis, so an attacker would need to develop the race-winning technique independently.
Remediation Patch available per vendor advisory: upgrade the Zoom Workplace VDI Plugin (and the associated Zoom Client for Windows) to the fixed release specified in Zoom bulletin ZSB-26013 at https://www.zoom.com/en/trust/security-bulletin/zsb-26013; an exact fixed version is not provided in the supplied data, so confirm and pin it from that advisory before deployment. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify and inventory all Windows-based VDI systems running Zoom Workplace VDI Plugin, document deployed versions, and quantify the population of authenticated users with local access to these systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-53411 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy