Zoom patches critical Windows flaw that could hand attackers your account
A 9.8-severity bug in Zoom's Windows client lets remote attackers take over accounts with no login required.

Key points
- Zoom disclosed a critical Windows client flaw, tracked as CVE-2026-53412, scoring 9.8 out of 10 in severity.
- The bug lets an attacker with network access take over a user's account without needing a password.
- Zoom Workplace for Windows before version 7.0.0, the Windows VDI Client, and the Meeting SDK for Windows are all affected.
- Zoom found the flaw internally and says there is no sign it has been used in attacks.
- The same patch round fixes three other high-severity Windows bugs.
Zoom is telling Windows users to update now.
The company disclosed a serious flaw in its desktop app this week, first reported by BleepingComputer, that could let an attacker hijack a user's account over the network. No password. No click. Just network access to the target.
The bug is tracked as CVE-2026-53412 and carries a severity score of 9.8 out of 10, which is about as bad as these ratings get. Zoom's own engineers found it.
In plain terms: the app did not properly check the data being sent to it. That kind of sloppy input handling, called improper input validation, can let an attacker slip in commands or requests the software should have refused.
Should ordinary Zoom users be worried?
Probably not, if you update. Zoom says there is no evidence anyone has actually used the flaw in a real attack, and the fix is already available. Open Zoom, let it update, and you are done.
The risk sits with people and organisations still running older versions.
Zoom's advisory lists the vulnerable builds: Zoom Workplace for Windows before 7.0.0, the Windows VDI Client before versions 7.0.10, 6.6.15 and 6.5.18, and the Meeting SDK for Windows before 7.0.0. VDI, short for virtual desktop infrastructure, is the setup many large employers use to stream a work desktop to staff laptops.
Zoom did not publish technical details of how the attack works. Vendors often hold those back to give customers time to patch.
What else did Zoom fix?
Three other high-severity bugs got patched in the same round. None of them are as dangerous as the main flaw, because each one requires the attacker to already have a foothold on the machine.
CVE-2026-53410 is what analysts call a race condition, meaning a timing bug where an attacker slips in between two steps the software takes. In this case it happens during install or uninstall, and a local user could use it to grab higher privileges.
CVE-2026-53409 affects Zoom Rooms for Windows before 7.1.0. A logged-in local user could escalate their privileges, which is the industry phrase for turning a normal account into an admin one.
CVE-2026-53411 is another input validation bug, this time in the Zoom Workplace VDI Plugin for Windows before 6.6.14. Same story: local access needed, privilege escalation possible.
What should you do?
For most people, updating Zoom is the whole job. The app will usually prompt you. If it does not, quit Zoom and reopen it, or download the latest installer from Zoom's website.
For IT teams, the priority is the critical flaw. Anything running Zoom Workplace for Windows below 7.0.0 needs attention first. VDI environments come next, since those tend to sit on internal networks where a single account takeover can spread quickly.
Attribution matters here too. Zoom found this itself, which is worth noting. Internally discovered bugs tend to get patched before criminal groups or state-linked crews work out how to weaponise them. That is the good outcome. The bad outcome is when a researcher goes public before the fix is ready, or when a nation-state operator quietly finds the same bug first and sits on it.
Neither appears to have happened this time. But the window between disclosure and exploitation of critical bugs like this one is often measured in days.
Patch this week.



