Description
Improper Input Validation in Zoom Rooms for Windows before 6.6.5 in Kiosk Mode may allow an authenticated user to conduct an escalation of privilege via local access.
Published: 2026-03-11
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in Zoom Rooms for Windows operating in Kiosk Mode before version 6.6.5. Improper input validation permits an authenticated local user to manipulate data in a way that elevates their privileges on the host system. This flaw is classified as CWE‑20 (Improper Input Validation) and can lead to unauthorized actions that compromise the integrity of the entire installation.

Affected Systems

Affecting all Zoom Communications Inc. Zoom Rooms deployments for Windows running in Kiosk Mode. Any instance of Zoom Rooms earlier than version 6.6.5 is impacted. The product is typically used in environments where users can log in locally to the host machine.

Risk and Exploitability

The CVSS score of 7 denotes high severity, but the EPSS score of less than 1% indicates a low probability of exploitation, and the flaw is not listed in CISA’s KEV catalog. Attackers must have local authenticated access to exploit the flaw; no remote network access is required. In high‑density user environments the risk escalates, yet the overall likelihood of concrete exploitation remains low.

Generated by OpenCVE AI on March 17, 2026 at 16:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Zoom’s security bulletin for an upgrade to Zoom Rooms 6.6.5 or later.
  • Apply the update immediately to all affected installations.
  • If an update is not yet available, restrict Kiosk Mode usage to users without local administrator privileges.
  • Disable or limit local authenticated user access to the cameras hosting machine if possible.
  • Monitor system logs for any privilege‑escalation activity and enforce least‑privilege policies.

Generated by OpenCVE AI on March 17, 2026 at 16:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Zoom
Zoom rooms
Vendors & Products Zoom
Zoom rooms

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Description Improper Input Validation in Zoom Rooms for Windows before 6.6.5 in Kiosk Mode may allow an authenticated user to conduct an escalation of privilege via local access.
Title Zoom Rooms for Windows - Improper Input Validation
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Zoom Rooms
cve-icon MITRE

Status: PUBLISHED

Assigner: Zoom

Published:

Updated: 2026-03-12T03:55:32.138Z

Reserved: 2026-03-06T18:44:57.630Z

Link: CVE-2026-30901

cve-icon Vulnrichment

Updated: 2026-03-11T15:56:07.562Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T15:16:29.953

Modified: 2026-03-12T21:08:22.643

Link: CVE-2026-30901

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:11Z

Weaknesses