CVE-2026-22844 PUBLISHED

Zoom Node Deployments - Command Injection

Assigner: Zoom
Reserved: 12.01.2026 Published: 20.01.2026 Updated: 20.01.2026

A Command Injection vulnerability in Zoom Node Multimedia Routers (MMRs) before version 5.2.1716.0 may allow a meeting participant to conduct remote code execution of the MMR via network access.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVSS Score: 9.9

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Zoom Communications Inc.
Product	Zoom Node
Versions	Default: unaffected affected from 0 to 5.2.1716.0 (excl.)

References

https://www.zoom.com/en/trust/security-bulletin/zsb-26001

Problem Types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE