Skip to content
feed: live
>_ 0dayNews
zoom

Zoom PSIRT: patch Workplace 7.0.0, unauth takeover 9.8

Zoom pushed a critical unauth account-takeover advisory (ZSB-26014, CVSS 9.8) for the Windows Workplace client and VDI Client — patch to 7.0.0 or the branch build.

Zoom PSIRT: patch Workplace 7.0.0, unauth takeover 9.8
Photo: Created by Wolfgang Beyer with the program Ultra Fractal 3. / Wikimedia Commons · CC BY-SA 3.0
fuse Marisol "Fuse" Delgado · Published · 3 min read

Late Tuesday, Zoom’s PSIRT dropped ZSB-26014 — a single critical, unauthenticated, no-user-interaction account-takeover flaw in the Windows Workplace client and VDI Client. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, base score 9.8. No in-the-wild exploitation reported yet. That’s the “yet” that determines your weekend.

What actually changed

The advisory pins the bug on “Improper Input Validation” (CVE assignment pending as of publication) across three affected Windows builds:

  • Zoom Workplace for Windows — patch to 7.0.0 or later
  • Zoom Workplace VDI Client for Windows — patch to the branch-matched build: 7.0.10, 6.6.15, or 6.5.18, depending on which VDI train you’re pinned to
  • Zoom Meeting SDK for Windows — patch to 7.0.0 per BleepingComputer’s writeup; the Meeting SDK line isn’t itemized on the ZSB-26014 page directly, so verify the SDK version against the Zoom download center rather than the bulletin.

Bug class: unauthenticated network attacker gets an account takeover. Zoom doesn’t say more than that on the advisory page, and I’m not going to try to reconstruct the mechanics from a two-sentence description — the point of the disclosure is the patch, not the exploit chain. Credit on the find goes to Zoom Offensive Security, which means the vendor’s internal team caught it before anyone external filed it. That’s the best-case shape a critical PSIRT advisory can take, and it’s why nothing’s being swung at yet.

Treat ZSB-26014 as authoritative on versions and severity. CVE assignment was pending as of publication — NVD and MITRE had not backfilled the ID as of 2026-07-16; check the ZSB-26014 advisory for updates.

What to do

The honest timeline for this one is: patched by Friday, not Monday. Nothing is being exploited today, but a 9.8 unauthenticated account-takeover with a public vendor advisory isn’t something you want to be four days late on if a PoC drops over the weekend.

  1. Windows fleets with Zoom Workplace: push 7.0.0 through your patch pipeline this week. The desktop client updates on relaunch — same problem the Chrome roundup flagged this morning, where “the update downloaded” and “the process restarted with the patched build” are not the same thing. Verify the running version, don’t verify the installed version.
  2. VDI shops: match the branch, not the number. Zoom keeps three concurrent VDI trains (7.0.x, 6.6.x, 6.5.x) so ops teams can pin to a stable Horizon/Citrix compatibility matrix. If you’re on 6.5, 7.0.10 is not your patch — 6.5.18 is. Read the ZSB-26014 remediation table once before you kick the deploy.
  3. Meeting SDK integrations: rebuild against 7.0.0. If you ship a product that embeds the Zoom Meeting SDK for Windows, your users’ patch cadence is your problem, not Zoom’s. Get the rebuild moving now so downstream customers aren’t stuck waiting on your release cycle.
  4. macOS, Linux, mobile: not on this advisory. ZSB-26014 is Windows-only. Don’t burn a maintenance window on cross-platform patch coordination this one doesn’t need.
  5. Log-review pass on Zoom auth events, low-priority. No IOCs published, no in-the-wild reporting, so this is a “if you already have Zoom auth logs going somewhere queryable, spot-check them for anomalies” pass — not a call for an IR engagement.

Priority call

Patch this before the weekend if Zoom is anywhere in your standard user build. Do not patch this ahead of the Firefox flaws with public exploit code from earlier today if you haven’t caught those up yet — Firefox has public PoC, Zoom does not. The SharePoint chain CISA added to KEV with a July 17 federal deadline also ranks above this on the “already being exploited” ladder. Zoom is #3 on this week’s patch queue behind those two, not #1 despite the 9.8. Fix the ones under active abuse first, then the ones with public PoCs, then the ones like this — critical, unauth, but so far no one’s swinging at them.

Track future Zoom PSIRT advisories at /topics/zoom/.

Found this useful? Share it.