Zoom Security Update, GitLab Vulnerabilities, RCE Exploit Patch, Two-Factor Authentication Bypass

Zoom and GitLab have issued urgent security updates to address multiple vulnerabilities that could allow remote code execution (RCE), denial-of-service (DoS) attacks, and two-factor authentication (2FA) bypasses.

Critical Zoom Vulnerability in Node Multimedia Routers

The most severe flaw affects Zoom Node Multimedia Routers (MMRs) and is tracked as CVE-2026-22844. Discovered internally by Zoom’s Offensive Security team, the vulnerability carries a CVSS score of 9.9/10, indicating critical severity.

The flaw stems from a command injection vulnerability that could allow a meeting participant to execute arbitrary code on the MMR via network access. Affected versions include:

• Zoom Node Meetings Hybrid (ZMH) MMR modules prior to 5.2.1716.0
• Zoom Node Meeting Connector (MC) MMR modules prior to 5.2.1716.0

Zoom has advised all users of Node Meetings, Hybrid, or Meeting Connector deployments to update to the latest MMR version immediately. There is currently no evidence of exploitation in the wild.

GitLab Patches High-Severity Flaws

Simultaneously, GitLab released updates for Community Edition (CE) and Enterprise Edition (EE) addressing several serious vulnerabilities:

• CVE-2025-13927 (CVSS 7.5): Malformed authentication data could trigger a DoS condition for unauthenticated users.
• CVE-2025-13928 (CVSS 7.5): Incorrect authorization in the Releases API could also lead to DoS attacks.
• CVE-2026-0723 (CVSS 7.4): Allows bypass of 2FA using forged device responses if an attacker knows a user’s credential ID.

Two additional medium-severity issues were patched:

• CVE-2025-13335 (CVSS 6.5): DoS via malformed Wiki documents bypassing cycle detection.
• CVE-2026-1102 (CVSS 5.3): DoS through repeated malformed SSH authentication attempts.

GitLab recommends that all users apply the updates immediately to prevent potential account compromise, service disruption, or unauthorized access.

Cybersecurity Takeaways

These vulnerabilities highlight the ongoing risks in collaboration and DevOps platforms, emphasizing the need for organizations to maintain timely patching practices and monitor deployments for unusual activity. The Zoom MMR flaw, in particular, demonstrates how critical infrastructure in communication platforms can be exploited by insiders or meeting participants if left unpatched.