CVE-2026-30901 is a vulnerability identified in Zoom Communications Inc.'s Zoom Rooms software for Windows, specifically affecting versions prior to 6.6.5 when operated in Kiosk Mode. The root cause is improper input validation (CWE-20), which can be exploited by an authenticated user with local access to escalate their privileges on the system. Kiosk Mode typically restricts user interaction to a limited interface, but this flaw allows a user with low-level privileges to bypass these restrictions and gain higher-level access, potentially compromising system controls and sensitive data. The vulnerability requires local access and authentication, but no additional user interaction is necessary. The CVSS v3.1 score of 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates that while exploitation complexity is high and requires local privileges, the impact on confidentiality, integrity, and availability is severe. No public exploits have been reported yet, and no official patches have been linked, though the vulnerability is published and recognized by Zoom. This flaw could be leveraged in environments where Zoom Rooms is deployed in kiosk setups, such as conference rooms, public terminals, or shared devices, potentially allowing malicious insiders or compromised users to gain unauthorized control.

The vulnerability poses a significant risk to organizations using Zoom Rooms in Windows-based kiosk environments. Successful exploitation can lead to privilege escalation, enabling attackers to execute unauthorized actions, access sensitive information, or disrupt system operations. This can compromise the confidentiality of communications, integrity of system configurations, and availability of Zoom Rooms services. In environments where Zoom Rooms controls critical meeting infrastructure or integrates with other enterprise systems, the impact could extend to broader network compromise or data breaches. The requirement for local authenticated access limits remote exploitation but raises concerns in shared or public kiosk deployments where multiple users have physical or logical access. The lack of current public exploits reduces immediate risk but also means organizations must proactively address the vulnerability before attackers develop exploits.

Organizations should monitor Zoom Communications' official channels for patches addressing CVE-2026-30901 and apply updates to Zoom Rooms for Windows as soon as they become available. Until patched, restrict local access to devices running Zoom Rooms in kiosk mode to trusted personnel only, and implement strict access controls and monitoring on these endpoints. Consider disabling kiosk mode if not essential or deploying additional endpoint protection solutions that can detect privilege escalation attempts. Conduct regular audits of user privileges and system logs to identify suspicious activity. Employ application whitelisting and least privilege principles to minimize the attack surface. Additionally, educate users and administrators about the risks of local access vulnerabilities and enforce physical security controls to prevent unauthorized device access.