Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Untrusted search path in the installer for Zoom Rooms for Windows before version 7.0.0 may allow an authenticated user to enable an escalation of privilege via local access.
AnalysisAI
Local privilege escalation in Zoom Rooms for Windows versions prior to 7.0.0 allows an authenticated user to gain elevated privileges through an untrusted search path weakness in the installer. The flaw (CWE-426) carries a CVSS 7.8 (High) rating with complete confidentiality, integrity, and availability impact, though EPSS exploitation probability is very low (0.01%) and there is no public exploit identified at time of analysis. CISA SSVC indicates no observed exploitation but total technical impact, making this a credible insider-threat or post-compromise escalation vector rather than an internet-facing risk.
Technical ContextAI
The vulnerability sits in the Zoom Rooms for Windows installer (cpe:2.3:a:zoom_communications:zoom_rooms) and is classified under CWE-426 (Untrusted Search Path). This weakness occurs when a process - typically one running with elevated privileges such as an MSI/EXE installer - resolves binaries, DLLs, or helper executables using a search path that an unprivileged user can influence (for example, the current working directory, a writable PATH entry, or an unquoted service path). On Windows, installers running under SYSTEM or via elevated MSI contexts are particularly susceptible because attacker-controlled libraries placed in resolvable directories get loaded and executed in the elevated context, yielding local privilege escalation.
RemediationAI
Upgrade Zoom Rooms for Windows to version 7.0.0 or later - per the EUVD-confirmed fix boundary and Zoom security bulletin ZSB-26008 (https://www.zoom.com/en/trust/security-bulletin/zsb-26008), this is the vendor-released patch. Until upgrade is rolled out, run the installer only from a directory not writable by standard users (for example, a SYSTEM-only staging path or an admin-controlled deployment share via SCCM/Intune) rather than from user Downloads folders, since the untrusted search path is exercised when the installer process resolves auxiliary binaries; the trade-off is added deployment friction for ad-hoc installs. Additionally, restrict who can execute the installer through AppLocker or WDAC policies scoped to administrators, which prevents low-privileged users from invoking the vulnerable installer at all but blocks self-service upgrades. Reference the VulDB entry at https://vuldb.com/vuln/363023 for tracking.
Same weakness CWE-426 – Untrusted Search Path
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30112
GHSA-mmmr-c45j-v926