External risk intelligence

Zoom Workplace VDI Plugin: Privilege Escalation Risk

CVE advisorySeverity: HIGH (CVSS 7.8)

CVE-2026-30905

A vulnerability in the Zoom Workplace VDI Plugin for Windows Installer may allow an authenticated local user to escalate privileges. This could affect organizations by enabling unauthorized access to systems and data. The risk is associated with local access to the affected installer.

1Halo Surface Signal

Zoom Workplace Virtual Desktop Infrastructure

before 6.6.11

External exposure likelihood

Halo Surface Signal score for CVE-2026-30905

The vulnerability exists in a local installer for a VDI plugin. It requires local access to the system to exploit, meaning it is not reachable via the public internet.

PCI scan relevance

PCI Relevance for CVE-2026-30905

Yes

CVE-2026-30905 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Zoom Workplace VDI may allow an authenticated user to escalate privileges locally, which could cause a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

The Zoom Workplace VDI Plugin for Windows Universal Installer contains a flaw related to how it handles file names and paths. This weakness could potentially allow an authenticated user with local access to gain elevated privileges on the affected system. The core issue stems from the external control of file names or paths within the installer.

  • Vulnerable Zoom VDI Plugin installer
  • Flaw allows privilege escalation
  • Impact on authenticated local users

Attack Path

How an attacker could exploit the issue

An authenticated user with local access may be able to escalate privileges using the Zoom Workplace VDI Plugin for Windows. The vulnerability exists within the installer, and exploiting it could lead to an attacker gaining elevated permissions on the affected system. This could impact the confidentiality, integrity, and availability of the system and its data.

  • Requires authenticated local access.
  • Attacker triggers installer vulnerability.
  • Results in privilege escalation.

Live Threat

Current exploitation, exposure, and threat context

The Zoom Workplace VDI Plugin for Windows contains a vulnerability that could allow an authenticated user with local access to escalate privileges. This could impact organizations by allowing unauthorized access and modification of systems. The potential for privilege escalation warrants careful consideration of affected systems.

  • Attacker skill level: Basic
  • Required access or conditions: Local access
  • Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The Zoom Workplace VDI Plugin for Windows has a vulnerability that could allow an authenticated user with local access to escalate privileges. This risk affects organizations using this specific plugin. The exploitation requires local access to the affected system, which reduces the potential attack surface.

  • Identify all systems with the VDI plugin installed.
  • Restrict local access to VDI plugin systems.
  • Apply vendor updates and verify.
  • Monitor for related activity.

Frequently asked questions

What is the Zoom Workplace VDI Plugin and its function in virtual environments?

The Zoom Workplace VDI Plugin is a component of the Windows Universal Installer designed for virtual desktop infrastructure (VDI) environments. It enables users to utilize Zoom services seamlessly within these virtualized setups.

What weakness class is associated with CVE-2026-30905, and how does it manifest?

CVE-2026-30905 is classified under the 'External Control of File Name or Path' weakness (CWE-73). This indicates that the software does not adequately validate file names or paths provided by external inputs, potentially leading to unintended file operations or system compromises.

What are the necessary conditions for an attacker to exploit the Zoom VDI Plugin vulnerability?

Exploiting this vulnerability requires an attacker to first possess authenticated local access to the affected system. This condition limits the attack vector to users already on the system, preventing remote exploitation.

How does Halo classify the exposure of CVE-2026-30905, considering its attack vector?

Halo classifies CVE-2026-30905 as an internal exposure because the CVSS v3.1 attack vector is identified as Local (AV:L). This means the vulnerability is only reachable from the local system, not over the internet.

What practical steps can organizations take to mitigate the risk associated with the Zoom VDI Plugin vulnerability?

Organizations should identify all systems with the VDI plugin installed, restrict local access to these systems, and promptly apply vendor updates. Continuous monitoring for suspicious activity related to the plugin is also recommended.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified