CVE-2026-22844: Zoom Has a CVSS 9.9 and Nobody's Talking About It

CVSS 9.9 out of 10. That's almost a perfect score, and not the kind you want.

CVE-2026-22844 is a command injection vulnerability in Zoom Node Multimedia Routers (MMRs). A meeting participant, anyone in the call, can exploit it to execute arbitrary code on the Zoom infrastructure via network access.

Let me say that again: someone in your Zoom meeting can run code on your servers.

This isn't some obscure component nobody uses. Zoom MMRs handle the actual media routing for Zoom meetings. If you run on-premises Zoom infrastructure, or if you use Zoom Rooms with self-hosted components, this affects you.

Zoom also dropped three more vulnerabilities the same week. CVE-2026-30903, classified as Critical, targets the Mail feature in Zoom Workplace for Windows and allows privilege escalation. The other two are high-severity privilege escalation flaws.

Four security bulletins in one day. That's not a good day for Zoom. And it's not a good day for any business relying on Zoom without monitoring these advisories.

The collaboration platform problem.

This isn't just a Zoom issue. Look at what's dropped across collaboration platforms in 2026:

Zoom: CVE-2026-22844 (CVSS 9.9, command injection), CVE-2026-30903 (Critical, privilege escalation), plus two more high-severity flaws.

Microsoft Teams: CVE-2026-21535, an improper access control vulnerability. Network-based exploitation, no user interaction required, no authentication needed.

Cisco Webex: CVE-2026-20184 (CVSS 9.8), the SSO authentication bypass I wrote about that lets attackers impersonate any user.

Every major collaboration platform has had a critical vulnerability this year. These are the tools you use for board meetings, HR conversations, client calls, financial discussions, and strategic planning. The stuff you'd never say in a public forum is flowing through platforms with CVEs dropping monthly.

Why your business should care even if you use cloud Zoom.

"We don't self-host Zoom, so we're fine." Not entirely.

The cloud vulnerabilities get patched by Zoom automatically. True. But the client-side vulnerabilities (like CVE-2026-30903 in Zoom Workplace for Windows) require you to update the application on every device in your organization.

How many of your employees are running the latest version of Zoom right now? How many are running the version they installed two years ago and never updated? How many clicked "Remind me later" on the update prompt 47 times?

If your answer is "I don't know," that's the problem. Unmanaged client applications on employee devices are a blind spot that most small businesses don't address.

What attackers do with collaboration platform access.

A compromised collaboration platform isn't just about eavesdropping (though that's bad enough). Here's what an attacker actually does:

Harvest credentials. Meeting chat logs, shared files, and integration tokens contain a goldmine of credentials. People paste passwords in Zoom chat. They share access links with tokens in the URL. They post API keys "just for this meeting." All of it is accessible to an attacker who compromises the platform.

Impersonate executives. With access to someone's collaboration account, the attacker can send messages as that person. "Hey team, I need someone to process this payment. Details in the chat." Coming from the CEO's verified Zoom account, who's going to question it?

Access recorded meetings. If your organization records meetings (and many do), those recordings are stored somewhere. Board meetings. HR reviews. Client strategy sessions. Legal discussions. M&A conversations. An attacker with access to the recording library has everything.

Pivot to connected systems. Collaboration platforms integrate with everything: file storage, project management, calendars, CRM, email. A compromised Zoom or Teams account often has OAuth tokens to Dropbox, Google Drive, Slack, Salesforce, and more. One compromised account leads to half a dozen compromised services.

The uncomfortable question.

How many tools does your business run where you have no idea what version is installed, who has access, what data flows through them, or when they were last updated?

Be honest. Zoom, Slack, Teams, Google Meet, plus all the integrations and plugins attached to them. How many of those are managed? How many are just "install it and go" with no oversight?

For most small businesses, the answer is all of them are unmanaged. Everyone installed whatever they needed, logged in with whatever password they had, and connected whatever integrations were convenient. Nobody audited it. Nobody monitors it. Nobody updates it.

That's not a technology problem. That's a management problem. And it's the kind of problem that leads to a breach notification letter.

What we do about it.

We help businesses get a handle on their tool sprawl. Not by ripping everything out and starting over. By auditing what's there, identifying the risks, and putting basic controls in place:

• Application inventory. What collaboration tools are in use? Who has access? What integrations are connected?
• Update management. Ensuring critical applications are on current versions across all devices.
• Access controls. MFA on every collaboration account. Removing ex-employees. Restricting guest access.
• Data hygiene. Policies for what can and can't be shared in meeting chats. Automatic retention and deletion of recordings.
• Monitoring. Watching for unusual login patterns, new integrations, and unauthorized access.

And we train your team on the human side: don't paste credentials in chat, verify financial requests through a separate channel even if they come from the CEO's Zoom, treat meeting recordings as sensitive data.

The tools aren't going away. Zoom, Teams, Slack are how business gets done now. But "how business gets done" doesn't have to mean "how the business gets breached."

(773) 417-9994 or southsidechisolutions.com