CVE-2026-22844 is a critical vulnerability classified under CWE-78, indicating improper neutralization of special elements used in OS commands, commonly known as OS command injection. This vulnerability affects Zoom Communications Inc.'s Zoom Node Multimedia Routers (MMRs) in versions prior to 5.2.1716.0. The flaw allows a remote attacker, specifically a meeting participant with network access, to inject and execute arbitrary OS commands on the MMR device. The attack vector is network-based, requiring only low privileges (PR:L) and no user interaction (UI:N), which significantly lowers the barrier for exploitation. The vulnerability has a CVSS v3.1 base score of 9.9, reflecting its critical severity, with impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially compromised component. The vulnerability arises due to insufficient sanitization or neutralization of special characters or command elements in the input processed by the MMR software, enabling command injection. Successful exploitation could lead to full remote code execution, allowing attackers to take control of the MMR device, disrupt multimedia routing, intercept or manipulate communications, or pivot to other network assets. No patches or exploit code links are currently provided, and no known exploits in the wild have been reported yet. However, the critical nature and ease of exploitation make timely remediation essential.

For European organizations, this vulnerability poses a significant threat, especially those relying on Zoom Node MMRs for critical communication infrastructure. Exploitation could lead to complete compromise of multimedia routing devices, resulting in unauthorized access to sensitive communications, disruption of video conferencing services, and potential lateral movement within corporate networks. This could affect sectors such as government, finance, healthcare, and large enterprises that depend on secure and reliable video communications. The loss of confidentiality could expose sensitive meeting content, while integrity and availability impacts could disrupt business operations and damage organizational reputation. Given the low complexity and no user interaction required, attackers could exploit this vulnerability remotely and stealthily, increasing the risk of widespread impact across European organizations using affected Zoom products.

European organizations should immediately verify their Zoom Node MMR versions and upgrade to version 5.2.1716.0 or later once available. Until patches are applied, network segmentation should be enforced to isolate MMR devices from untrusted networks and restrict meeting participant network access to these devices. Implement strict access controls and monitor network traffic for unusual command execution patterns or anomalies related to MMR devices. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics targeting command injection attempts. Conduct regular audits of Zoom Node MMR configurations and logs to detect potential exploitation attempts. Additionally, organizations should engage with Zoom support for any interim mitigation guidance and monitor threat intelligence feeds for emerging exploit information. Training IT staff on this specific vulnerability and response procedures will enhance readiness.