Cyber Posture

CVE-2026-22844

Critical

Published: 20 January 2026

Published
20 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0017 38.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A Command Injection vulnerability in Zoom Node Multimedia Routers (MMRs) before version 5.2.1716.0 may allow a meeting participant to conduct remote code execution of the MMR via network access.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the command injection vulnerability by requiring timely remediation through patching Zoom MMRs to version 5.2.1716.0 or later.

SI-10 Information Input Validation good match
prevent

Prevents command injection by enforcing validation and sanitization of untrusted network inputs from low-privileged meeting participants.

AC-6 Least Privilege partial match
prevent

Reduces the impact of successful remote code execution by enforcing least privilege on MMR processes handling participant inputs.

Security SummaryAI

CVE-2026-22844 is a Command Injection vulnerability (CWE-78) in Zoom Node Multimedia Routers (MMRs) prior to version 5.2.1716.0. Published on 2026-01-20, it allows a meeting participant to achieve remote code execution on the MMR via network access. The issue carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), reflecting its critical severity due to network-based exploitation with low complexity, low privileges required, no user interaction, changed scope, and high impacts on confidentiality, integrity, and availability.

A meeting participant with low privileges (PR:L) can exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L) and no need for user interaction (UI:N). Successful exploitation grants remote code execution (RCE) on the MMR, enabling full control over the device in the changed scope (S:C).

Zoom's security bulletin at https://www.zoom.com/en/trust/security-bulletin/zsb-26001 addresses this vulnerability, with mitigation achieved by upgrading affected MMRs to version 5.2.1716.0 or later.

Details

CWE(s)
CWE-78

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

The command injection vulnerability enables remote code execution on the network-accessible Zoom MMR service by low-privileged meeting participants, directly facilitating Exploitation of Remote Services (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References