Zoom Workplace VDI Plugin Vulnerability Allows Local Privilege Escalation
The National Vulnerability Database (NVD) has detailed CVE-2026-30905, a high-severity vulnerability (CVSS 7.8) affecting the Zoom Workplace VDI Plugin Windows Universal Installer prior to version 6.6.11. This flaw, categorized as External Control of File Name or Path (CWE-73), allows an authenticated user to achieve escalation of privilege via local access.
This isn’t a remote exploit, but it’s still dangerous. An attacker who has already gained a foothold on a system – perhaps through phishing or another initial access vector – can leverage this vulnerability to elevate their privileges. This can turn a limited compromise into a full system takeover, enabling data exfiltration, lateral movement, or the deployment of more persistent malware.
For defenders, this means patching the Zoom VDI plugin is non-negotiable. While the CVSS score is high, the local access requirement might lull some into a false sense of security. Don’t be complacent. Attackers thrive on privilege escalation; it’s a critical step in almost every advanced attack chain. Prioritize this update, especially in VDI environments where Zoom is heavily utilized.
What This Means For You
- If your organization uses the Zoom Workplace VDI Plugin on Windows, immediately verify that all installations are updated to version 6.6.11 or later. An authenticated attacker could exploit CVE-2026-30905 for local privilege escalation, turning a minor compromise into a severe incident.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-30905 - Zoom VDI Plugin Local Privilege Escalation via UNC Path
title: CVE-2026-30905 - Zoom VDI Plugin Local Privilege Escalation via UNC Path
id: scw-2026-05-13-ai-1
status: experimental
level: high
description: |
Detects the execution of ZoomVDIHook.exe with a command line containing a UNC path, which is indicative of the CVE-2026-30905 vulnerability being exploited for local privilege escalation. This vulnerability involves external control of file name or path within the Zoom Workplace VDI Plugin.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-30905/
tags:
- attack.privilege_escalation
- attack.t1068
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- 'ZoomVDIHook.exe'
CommandLine|contains:
- 'UNC_PATH'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-30905 | Privilege Escalation | Zoom Workplace VDI Plugin Windows Universal Installer |
| CVE-2026-30905 | Privilege Escalation | Affected versions: before 6.6.11 |
| CVE-2026-30905 | Path Traversal | External Control of File Name or Path |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 22:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-44351: Critical fast-jwt Auth Bypass via Empty Key
CVE-2026-44351 — fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated...
CVE-2026-42552: Flight PHP Framework Leaks Critical Server Info
CVE-2026-42552 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and...
Flight PHP Framework CVE-2026-42551: CSRF & Cache Poisoning Risk
CVE-2026-42551 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP...