CVE-2026-30905 Overview
CVE-2026-30905 is a high-severity privilege escalation vulnerability affecting the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11. The flaw stems from external control of file name or path [CWE-73] within the installer component. An authenticated local user can manipulate file paths during installation to escalate privileges on the affected Windows host. Zoom disclosed the issue in security bulletin ZSB-26007. The vulnerability requires local access and low privileges, with no user interaction needed for exploitation.
Critical Impact
An authenticated local attacker can escalate privileges to gain full control over confidentiality, integrity, and availability of the affected Windows system running the vulnerable Zoom VDI Plugin installer.
Affected Products
- Zoom Workplace VDI Plugin Windows Universal Installer
- All versions prior to 6.6.11
- Windows-based virtual desktop infrastructure (VDI) deployments using the Zoom plugin
Discovery Timeline
- 2026-05-13 - CVE-2026-30905 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-30905
Vulnerability Analysis
The vulnerability resides in the Zoom Workplace VDI Plugin Windows Universal Installer. The installer accepts file name or path inputs that are not adequately validated or restricted. An authenticated user with local access can influence these paths during the installation or update process. This allows the attacker to redirect installer operations toward attacker-controlled locations or files. Because the installer runs with elevated privileges, the attacker inherits those privileges through the manipulated file operations. The result is a local privilege escalation from a standard authenticated user to a higher-privilege context.
Root Cause
The root cause is improper validation of externally supplied file names or paths [CWE-73]. The installer trusts path inputs that should be treated as untrusted when supplied or influenceable by a non-administrative user. This trust boundary failure permits redirection of file reads, writes, or executions to locations chosen by the attacker.
Attack Vector
Exploitation requires local access (AV:L) and low privileges (PR:L). The attacker must already be authenticated on the target system. No user interaction is required. Typical exploitation involves placing a crafted file or symbolic link at a predictable location, then triggering installer logic that consumes the attacker-controlled path. When the installer processes the path under elevated privileges, the attacker gains code execution or file manipulation rights beyond their original authorization level.
No public proof-of-concept exploit code is currently available for CVE-2026-30905. Refer to the Zoom Security Bulletin ZSB-26007 for vendor-supplied technical context.
Detection Methods for CVE-2026-30905
Indicators of Compromise
- Unexpected files, symbolic links, or junctions appearing in directories used by the Zoom VDI Plugin installer prior to installer execution
- Installer processes (ZoomVDIUniversalInstaller.exe or related binaries) reading from or writing to non-standard user-writable paths
- New privileged processes spawned as child processes of the Zoom installer outside expected installation workflows
Detection Strategies
- Monitor installer process execution chains for anomalous child processes running under SYSTEM or administrative contexts
- Inspect file system telemetry for path manipulation patterns near Zoom installation directories during installer runs
- Audit Windows event logs for privilege elevation events correlated with Zoom VDI Plugin installation or update activity
Monitoring Recommendations
- Track installations and version inventory of Zoom Workplace VDI Plugin across all Windows endpoints to identify hosts running versions prior to 6.6.11
- Alert on creation of symbolic links or hard links by non-administrative users in paths consumed by privileged installers
- Correlate authenticated local user activity with installer execution events to identify suspicious sequencing
How to Mitigate CVE-2026-30905
Immediate Actions Required
- Upgrade the Zoom Workplace VDI Plugin Windows Universal Installer to version 6.6.11 or later on all affected systems
- Inventory Windows endpoints and VDI golden images to identify any deployments still running vulnerable installer versions
- Restrict local interactive logon rights on systems where the Zoom VDI Plugin is installed to reduce the pool of users able to exploit the flaw
Patch Information
Zoom has released a fixed version of the Zoom Workplace VDI Plugin Windows Universal Installer. Update to version 6.6.11 or later to remediate CVE-2026-30905. Refer to the Zoom Security Bulletin ZSB-26007 for full vendor guidance and download links.
Workarounds
- Limit which authenticated users can execute the Zoom VDI Plugin installer until patching is complete
- Apply file system access controls to prevent non-administrative users from creating files, links, or junctions in directories referenced by the installer
- Defer optional installer or update runs on multi-user systems until the patched version is deployed enterprise-wide
# Configuration example: Query installed Zoom VDI Plugin version via PowerShell
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
Where-Object { $_.DisplayName -like "*Zoom*VDI*" } |
Select-Object DisplayName, DisplayVersion, InstallLocation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
