Zoom has patched a critical vulnerability, tracked as CVE-2026-53412 and rated 9.8 out of 10 on the CVSS scale, affecting its Windows desktop client, its VDI client for Windows, and its Meeting SDK for Windows. The flaw is an improper input validation issue that could let an unauthenticated attacker take over a user's account over the network — no password, phishing click, or prior access required. Zoom discovered the issue internally, hasn't published exploitation technical detail, and says there's no evidence it has been used in attacks yet.
The fix ships in Zoom Workplace for Windows 7.0.0 and later, VDI Client 7.0.10 / 6.6.15 / 6.5.18 and later, and Meeting SDK for Windows 7.0.0 and later. Alongside it, Zoom disclosed three further high-severity flaws in the same batch of updates, covering privilege escalation and race-condition issues, also Windows-specific. macOS, Linux, and mobile clients are not affected by CVE-2026-53412.
What this means for your business
- Update Zoom on every Windows machine this week. The desktop client auto-updates for most users, but don't assume — check Zoom > Settings > About for a version at or above 7.0.0, or push it centrally if you manage devices via MDM.
- Don't forget the SDK and VDI paths. If your business embeds the Zoom Meeting SDK in a custom app, or runs Zoom through a virtual desktop (VDI) setup, those components need their own separate update — a patched desktop client doesn't cover them.
- No exploitation yet is not a reason to wait. A CVSS 9.8, unauthenticated, network-reachable flaw is exactly the profile attackers reverse-engineer from a patch within days. Being current before that happens is the entire point of patching promptly.
- Treat "critical + no user action" bugs as the ones that need the fastest turnaround. This one requires nothing from the victim — no click, no credential entry — which means normal staff caution offers zero protection. Only the update does.
Video conferencing software sits on almost every employee's machine, which makes a flaw like this a wide, quiet risk rather than a dramatic one. The fix is simple and already available — the only real risk is it sitting unapplied on a machine nobody got round to.