Zoom Patches Critical Command Injection Flaw in Node Multimedia Routers
Take action: Make sure all Zoom Node devices are isolated from the internet and accessible from trusted networks only. Update your MMR modules to version 5.2.1716.0 ASAP, because even if isolated there will be a way in through compromised endpoints of users.
Learn More
Zoom released security updates to fix a command injection bug in its Node Multimedia Routers (MMRs). These routers handle video and audio traffic for organizations using hybrid or connector setups and the flaw enables participants to take over the router through the network.
The vulnerability is tracked as CVE-2026-22844 (CVSS score 9.9). It lets an attacker run their own code on the system. Since the attack works over the network, a person in a meeting could break into the router without being in the room.
Affected products are:
- Zoom Node Meetings Hybrid (ZMH) MMR modules before version 5.2.1716.0
- Zoom Node Meeting Connector (MC) MMR modules before version 5.2.1716.0
This fix follows an August 2025 update for CVE-2025-49457 (CVSS score 9.6). That older bug let attackers get higher rights on Windows computers using the Zoom app.
Admins should update to version 5.2.1716.0 or newer. Zoom has not detected active exploitation yet, and advises that it's best to keep these routers on private networks.
