CVE-2026-30906 Overview
CVE-2026-30906 is an untrusted search path vulnerability [CWE-426] in the installer for Zoom Rooms for Windows before version 7.0.0. The flaw allows an authenticated local user to escalate privileges by placing a malicious binary in a location searched by the installer process. When the installer runs with elevated rights, it loads the attacker-controlled file and executes code in a higher-privileged context. Zoom documented the issue in security bulletin ZSB-26008.
Critical Impact
A local authenticated attacker can gain elevated privileges on Windows hosts running vulnerable Zoom Rooms installers, leading to full compromise of confidentiality, integrity, and availability.
Affected Products
- Zoom Rooms for Windows versions prior to 7.0.0
- Windows endpoints used as Zoom Rooms appliances
- Systems where the affected installer is staged or executed
Discovery Timeline
- 2026-05-13 - CVE-2026-30906 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-30906
Vulnerability Analysis
The Zoom Rooms for Windows installer searches directories for dependencies without validating their trust boundaries. An authenticated user with write access to a directory present in the installer's search path can stage a malicious dynamic link library (DLL) or executable. When the installer launches with administrative privileges, it resolves and loads the attacker-supplied binary instead of the intended system file. The attacker's code then executes under the installer's elevated security context, completing the privilege escalation.
Root Cause
The root cause is improper restriction of the binary search path used during installation, classified under [CWE-426]. The installer does not enforce absolute paths or signed-binary requirements for loaded components. This pattern commonly arises when Windows applications rely on the default DLL search order or invoke helper executables without a fully qualified path.
Attack Vector
Exploitation requires local access and valid authentication on the target Windows host. The attacker plants a crafted file, such as a DLL with a name matching a dependency the installer attempts to load, in a writable directory that the installer searches before system locations. Triggering the installer, either through user action or scheduled execution, causes the malicious file to load. Successful exploitation yields code execution at the installer's privilege level, typically SYSTEM or an administrator account.
No public proof-of-concept code is referenced in the advisory. See the Zoom Security Bulletin ZSB-26008 for vendor technical details.
Detection Methods for CVE-2026-30906
Indicators of Compromise
- Unexpected DLL or executable files in directories adjacent to the Zoom Rooms installer or in user-writable paths on the PATH environment variable
- Child processes spawned by the Zoom Rooms installer that do not match Zoom-signed binaries
- New service installations, scheduled tasks, or local administrator accounts created shortly after Zoom Rooms installation events
Detection Strategies
- Monitor process creation events where the parent is the Zoom Rooms installer and the child loads an unsigned or non-Zoom-signed module
- Audit file write events to directories included in the installer's search path, particularly by non-administrative users
- Correlate installer execution with subsequent privilege elevation events such as Security event ID 4672 from unexpected accounts
Monitoring Recommendations
- Enable Windows Sysmon event ID 7 (Image Loaded) and 1 (Process Create) for installer binaries and review for unsigned modules
- Track software deployment logs for Zoom Rooms installations originating outside approved management tooling
- Alert on writes of .dll or .exe files into staging directories used by software distribution pipelines
How to Mitigate CVE-2026-30906
Immediate Actions Required
- Upgrade Zoom Rooms for Windows to version 7.0.0 or later on all managed endpoints
- Inventory hosts running Zoom Rooms and confirm installer versions used by deployment systems
- Restrict local interactive logon on Zoom Rooms appliances to administrators only
Patch Information
Zoom released a fixed build in Zoom Rooms for Windows version 7.0.0. Apply the update referenced in the Zoom Security Bulletin ZSB-26008. Replace any cached installer packages stored in software distribution shares with the patched version to prevent reuse of vulnerable installers.
Workarounds
- Execute the installer only from directories where standard users have no write permissions, such as a protected administrative share
- Remove writable, user-controlled directories from the system PATH to reduce DLL search-order hijack opportunities
- Enforce application allowlisting policies, such as Windows Defender Application Control, to block unsigned DLLs from loading into elevated installer processes
# Verify installed Zoom Rooms version on a Windows host
powershell -Command "Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Where-Object { $_.DisplayName -like 'Zoom Rooms*' } | Select-Object DisplayName, DisplayVersion"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
