Zoom has patched CVE-2026-53412, a critical vulnerability with a CVSS score of 9.8 that could allow unauthenticated attackers to take over user accounts on Windows systems. The flaw stems from improper input validation in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows.
Zoom’s Offensive Security team discovered the vulnerability. The company declined to release detailed technical information about the exploit mechanism while users deploy patches. The issue affects older versions of Zoom Workplace, the Windows VDI Client, and the Meeting SDK for Windows.
Alongside the critical bug, Zoom addressed three additional high-severity vulnerabilities. CVE-2026-53410 (CVSS 8.8) involves a race condition that could let an authenticated local user gain elevated privileges. CVE-2026-53409 (CVSS 8.8) is an improper privilege management flaw in Rooms for Windows, and CVE-2026-53411 (CVSS 8.8) is an input validation issue in the Workplace VDI Plugin. None of the vulnerabilities are currently under active exploitation.
Users should update to the latest versions as soon as possible.

