CVE-2026-30903 is a critical security vulnerability identified in the Mail feature of Zoom Communications' Zoom Workplace product for Windows, affecting versions prior to 6.6.0. The issue is categorized under CWE-73, which involves external control of file name or path. This vulnerability allows an unauthenticated attacker to manipulate file paths or names externally, which can lead to an escalation of privileges on the affected system. Specifically, through network access, an attacker can exploit this flaw to gain higher-level permissions than originally granted, potentially compromising the confidentiality, integrity, and availability of the system. The vulnerability has a CVSS v3.1 base score of 9.6, indicating critical severity, with attack vector as network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). Although no public exploits have been reported yet, the nature of the vulnerability and its critical rating suggest that exploitation could lead to full system compromise, data theft, or disruption of services. The vulnerability arises from improper handling of file paths in the Mail feature, which could allow attackers to overwrite or create files in unauthorized locations, thereby escalating privileges or executing arbitrary code. The lack of authentication requirement increases the risk, as attackers can attempt exploitation remotely without valid credentials. Zoom Workplace is used primarily in enterprise environments for collaboration and communication, making this vulnerability a significant risk for organizations relying on this platform on Windows endpoints.

The impact of CVE-2026-30903 is severe for organizations worldwide using Zoom Workplace on Windows systems. Successful exploitation can lead to unauthorized privilege escalation, enabling attackers to execute arbitrary code with elevated permissions. This can result in full system compromise, data breaches, and disruption of business operations. Confidential information may be exposed or altered, and system availability could be affected through malicious actions such as ransomware deployment or service disruption. Given the network-based attack vector and no requirement for authentication, the vulnerability can be exploited remotely, increasing the attack surface. Enterprises with large deployments of Zoom Workplace, especially those in regulated industries or handling sensitive data, face heightened risks. The vulnerability could also be leveraged as a foothold for lateral movement within corporate networks, amplifying its impact. Although no known exploits are currently in the wild, the critical severity and ease of exploitation make it a high-priority threat that could be targeted by advanced threat actors or opportunistic attackers.

To mitigate CVE-2026-30903, organizations should immediately upgrade Zoom Workplace for Windows to version 6.6.0 or later, where the vulnerability is addressed. In the absence of an available patch, administrators should restrict network access to the Zoom Workplace Mail feature, employing firewall rules or network segmentation to limit exposure. Implement application whitelisting and endpoint protection solutions to detect and block suspicious file path manipulations or privilege escalation attempts. Monitor logs and network traffic for unusual activity related to file operations or unauthorized access attempts. Employ strict user privilege management to minimize the impact of potential escalations. Additionally, educate users about the risks of interacting with unsolicited or suspicious communications within Zoom Workplace. Regularly review and update security policies to include controls for collaboration tools. Coordinate with Zoom Communications for any interim security advisories or workarounds. Finally, conduct penetration testing and vulnerability assessments focused on collaboration platforms to proactively identify and remediate similar issues.