CVE-2026-22844: Critical Zoom MMR Vulnerability Enables Remote Code Execution
Overview
CVE-2026-22844 is a critical command injection vulnerability affecting Zoom Node Multimedia Routers, commonly referred to as MMRs. These components are used in Zoom hybrid meeting and Meeting Connector deployments to handle media processing. The vulnerability allows a meeting participant with network access to execute arbitrary commands on the MMR, potentially leading to full system compromise.
Zoom has confirmed the issue and released a patch. Organizations running affected infrastructure should treat this as a high-priority remediation item.
What Is Affected
The vulnerability impacts Zoom Node MMR deployments running versions prior to 5.2.1716.0. This includes:
- Zoom Node Hybrid Meeting MMR modules
- Zoom Node Meeting Connector MMR modules
Standard Zoom desktop and mobile clients are not affected.
Technical Details
The issue is classified as an OS command injection vulnerability, mapped to CWE-78. Improper input sanitization allows attacker-controlled data to be passed directly into system-level command execution.
A malicious meeting participant can exploit this flaw remotely over the network. No user interaction is required once the attacker has joined a meeting, and the attack complexity is considered low.
Successful exploitation enables remote code execution on the MMR host, which may run with elevated privileges depending on deployment configuration.
Severity and CVSS Scoring
Zoom, acting as the CNA, assigned a CVSS v3.1 base score of 9.9, rated Critical.
The vector is:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
At the time of publication, NIST had not yet issued an independent CVSS assessment in the NVD, which is why the NVD entry displays vendor-supplied metrics only. This discrepancy is normal and resolves once NVD enrichment is completed.
Impact
If exploited, this vulnerability could allow an attacker to:
- Execute arbitrary system commands on the MMR
- Disrupt or terminate active meetings
- Access or manipulate sensitive media traffic
- Use the compromised MMR as a pivot point for further network attacks
Because exploitation requires only participant-level access, environments that host external or untrusted meeting attendees are at increased risk.
Mitigation and Remediation
Zoom has addressed the issue in MMR version 5.2.1716.0 and later.
Recommended actions:
- Immediately upgrade all Zoom Node MMR deployments to version 5.2.1716.0 or newer
- Verify that no legacy MMR instances remain active
- Restrict meeting access where possible until patching is complete
- Monitor MMR systems for signs of unexpected command execution or anomalous behavior
Refer to Zoom Security Bulletin ZSB-26001 for official patch guidance.
Final Thoughts
CVE-2026-22844 highlights the elevated risk associated with exposed collaboration infrastructure. While Zoom clients often receive the most attention, backend components like MMRs can present a far greater blast radius when compromised.
Organizations running hybrid or on-prem Zoom infrastructure should ensure these systems are included in regular vulnerability management and patch cycles, not treated as set-and-forget appliances.