Zoom Rooms Installer: High-Severity Privilege Escalation via Untrusted Path
The National Vulnerability Database has disclosed CVE-2026-30906, a high-severity vulnerability (CVSS 7.8) affecting Zoom Rooms for Windows installers prior to version 7.0.0. This flaw, categorized as CWE-426 (Untrusted Search Path), allows an authenticated user with local access to achieve privilege escalation.
This isn’t a remote exploit, but it’s still dangerous. An attacker who has already gained a foothold on a system – perhaps via a phishing attack or another initial access vector – can leverage this vulnerability to elevate their privileges. For an attacker, moving from a standard user to a SYSTEM or administrator account is the holy grail, enabling persistence, deeper system compromise, and lateral movement.
Defenders need to treat installer vulnerabilities with the same urgency as application flaws. Attackers often target the installation process or post-installation cleanup for these very reasons. It’s a critical vector for establishing privileged access on endpoints, which then becomes a launching pad for broader network compromise. Patching isn’t just about the running application; it’s about the entire software lifecycle on the endpoint.
What This Means For You
- If your organization uses Zoom Rooms for Windows, prioritize updating all installations to version 7.0.0 or later immediately. Audit your endpoints for any unpatched instances and ensure that least privilege principles are rigorously applied to user accounts, especially those with local access to these systems. This vulnerability can be chained with initial access techniques to achieve full system control.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-30906 - Zoom Rooms Installer Privilege Escalation
title: CVE-2026-30906 - Zoom Rooms Installer Privilege Escalation
id: scw-2026-05-13-ai-1
status: experimental
level: high
description: |
Detects the execution of the Zoom Rooms installer (ZoomRoomsInstaller.exe) via msiexec.exe, which is a potential indicator of the privilege escalation vulnerability CVE-2026-30906. This vulnerability exploits an untrusted search path within the installer, allowing an authenticated local user to escalate privileges.
author: SCW Feed Engine (AI-generated)
date: 2026-05-13
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-30906/
tags:
- attack.privilege_escalation
- attack.t1574.001
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- 'ZoomRoomsInstaller.exe'
CommandLine|contains:
- 'msiexec.exe'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-30906 | Privilege Escalation | Zoom Rooms for Windows installer |
| CVE-2026-30906 | Privilege Escalation | Zoom Rooms for Windows before version 7.0.0 |
| CVE-2026-30906 | Privilege Escalation | Untrusted search path |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 13, 2026 at 22:17 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-44351: Critical fast-jwt Auth Bypass via Empty Key
CVE-2026-44351 — fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated...
CVE-2026-42552: Flight PHP Framework Leaks Critical Server Info
CVE-2026-42552 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, the default error handler Engine::_error() writes the full exception message, exception code, and...
Flight PHP Framework CVE-2026-42551: CSRF & Cache Poisoning Risk
CVE-2026-42551 — Flight is an extensible micro-framework for PHP. Prior to 3.18.1, Request::getMethod() unconditionally honors the X-HTTP-Method-Override header and the $_REQUEST['_method'] parameter on any HTTP...