Zoom’s Critical Windows Flaw: Why Your Patching Probably Missed It
Zoom has warned of a critical flaw in its Windows desktop client. CVE-2026-53412 is rated 9.8 out of 10. It’s an improper input validation bug that lets an unauthenticated attacker take over an account over the network — no credentials, no local access, no click from the victim. Zoom found it internally and says there’s no sign of exploitation yet. That’s the good news, and it won’t last forever.
The Bit That Should Worry You More Than the Score
A 9.8 gets attention. What gets missed is that Zoom usually isn’t in the patching baseline at all. In the Australian client environments we audit, Zoom is almost never deployed by IT — someone installed it during a hybrid-work scramble in 2020 and it stuck. The default installer drops it into each user’s AppData folder rather than machine-wide, so patch policies looking at the standard installed-programs list often don’t see it. The report comes back green. Zoom is still on 6.x.
What to Do Today
- Check the version, don’t assume. In Zoom: profile picture → Help → About. Anything below 7.0.0 needs updating.
- Don’t rely on auto-update. It’s frequently disabled or blocked by policy on managed devices, and it only runs when the app is restarted — which for a lot of people is never.
- Check VDI clients separately. They have their own version numbers and are easy to overlook.
- For managed fleets, deploy the machine-wide MSI so Zoom actually shows up in your patch reporting from now on.
Nothing is being exploited today. But a 9.8 unauthenticated account takeover in software installed on millions of Windows machines is not a race you want to be at the back of.
Not Sure What’s Actually Installed on Your Fleet?
All IT Services patches the apps your staff installed themselves, not just the ones IT deployed. If your patch reports look suspiciously green, that’s usually why.
Related Guide
Cybersecurity for Sydney SMBs
Explore our complete guide to protecting your business from cyber threats.
