Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
CriticalPublic exploit

Command Injection RCE in Zoom Node Multimedia Routers

IdentifiersCVE-2026-22844CWE-78· Improper Neutralization of Special…

CVE-2026-22844 is a critical command injection vulnerability in Zoom Node Multimedia Routers (MMRs) affecting versions prior to 5.2.1716.0. The issue impacts the MMR module used in Zoom Node Meetings Hybrid (ZMH) and Zoom Node Meeting Connector (MC) deployments. According to Zoom, a meeting participant can exploit the flaw via network access to cause remote code execution on the MMR. The vulnerable component is the Multimedia Router responsible for processing meeting audio and video streams in these hybrid/connector environments. The published CVSS v3.1 vector is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, consistent with low attack complexity, low privileges, no user interaction, and high impact across confidentiality, integrity, and availability.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation provides remote code execution on the affected Zoom Node MMR, enabling compromise of the router component handling meeting traffic. This can result in unauthorized access to system resources, arbitrary command execution, altered system behavior, service disruption, and potential interception or manipulation of meeting data traversing the MMR. Because the scope is changed and the impacts are high for confidentiality, integrity, and availability, compromise may also facilitate broader follow-on activity such as lateral movement or malware deployment from the affected host.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of Zoom Node MMRs to untrusted network paths as much as operationally feasible, restrict access to only required participants and network sources, and increase monitoring of Zoom Node MMR hosts and application logs for suspicious command execution, unauthorized access, abnormal process creation, service instability, or signs of post-exploitation. Be prepared to rotate credentials and investigate for historic compromise because mitigation alone does not remove the underlying flaw.

Remediation

Patch, then assume compromise.

Upgrade affected Zoom Node Multimedia Routers to version 5.2.1716.0 or later. This applies to Zoom Node Meetings Hybrid (ZMH) MMR modules and Zoom Node Meeting Connector (MC) MMR modules prior to 5.2.1716.0. Follow Zoom's Zoom Node update guidance and verify all relevant hybrid/connector deployments have been updated. If compromise is suspected, perform incident response actions in addition to patching, as upgrading prevents future exploitation but does not remediate prior compromise.
PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos.

VALID 1 / 1 TOTALView more in app
Ashwesker-CVE-2026-22844MaturityPoCVerified exploit

Repository contains a single Python proof-of-concept exploit (CVE-2026-22844.py) and a README describing the vulnerability and usage. The exploit targets Zoom Node MMR deployments prior to 5.2.1716.0 and performs unauthenticated network-based command injection leading to RCE. Core behavior: the script takes a target base URL and an arbitrary shell command, then iterates over four likely MMR control API paths. It sends an HTTPS POST with JSON body {action:"execute_control", control_command:"shell:<base64>", async:false}. The injected command is wrapped with START/END markers ("echo START; <cmd>; echo END") and base64-encoded to help bypass weak filtering. It treats HTTP 200/201/202/500 as potential success and attempts to extract command output between START/END from the response body. Notable targeting/assumptions: it sets X-Zoom-Meeting-ID (user-supplied or a fake default) and an Authorization: Bearer dummy-token header, implying the vulnerable endpoint may be reachable without strong authentication but may require meeting-context access. TLS verification is disabled (verify=False). The README provides example commands including reverse shell via bash /dev/tcp and file read of /etc/passwd. Overall purpose: operational PoC for remote command execution against exposed Zoom Node MMR control endpoints by exploiting insufficient sanitization of the control_command parameter.

AshweskerDisclosed Jan 22, 2026pythonmarkdownnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
Zoom CommunicationsNode Multimedia Router (Mmr)hardware
Zoom CommunicationsNode Multimedia Routers (Mmr)application
Zoom CommunicationsNode Multimedia Routers (Mmrs)application
Zoom CommunicationsZoom Node Meeting Connector (Mc) Mmr Moduleapplication
Zoom CommunicationsZoom Node Meetings Hybrid (Zmh) Mmr Moduleapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

41 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

41 SOURCESView more in app
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

Zoom Node Multimedia Router (MMR) vulnerability that can allow a meeting participant to achieve remote code execution.

Read more
the hacker newsNews
Jan 29, 2026
remote code execution - Latest News, Reports & Analysis | The Hacker News

A critical command injection in Zoom Node Multimedia Routers (MMRs) enabling a meeting participant to achieve RCE over network access.

Read more
upguard blogNews
Jan 27, 2026
Critical Zoom Vulnerability (CVE-2026-22844) | UpGuard

A critical command injection vulnerability in Zoom Node Multimedia Routers (MMRs) used in hybrid meeting environments that can allow arbitrary code execution by meeting participants; described as easy to exploit with high impact (CVSS 9.9).

Read more
checkpoint research blogNews
Jan 26, 2026
26th January - Threat Intelligence Report - Check Point Research

Critical command injection in Zoom Node Multimedia Routers (Meeting Connector/Meetings Hybrid) enabling participant remote code execution on versions prior to 5.2.1716.0.

Read more
+9 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity27

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-22844
NVD
nvd.nist.gov/vuln/detail/CVE-2026-22844
MITRE CWE · CWE-78
Improper Neutralization of Special Elements…
zoom.com
zoom.com/en/trust/security-bulletin/zsb-26001