Zoom and GitLab have issued urgent security updates addressing multiple vulnerabilities that could allow remote code execution (RCE), denial-of-service (DoS) attacks, and bypass of two-factor authentication (2FA).
Zoom Fixes Critical MMR Flaw
The most severe vulnerability affects Zoom Node Multimedia Routers (MMRs), potentially enabling a meeting participant to execute arbitrary code on the device. Tracked as CVE-2026-22844, the flaw carries a CVSS score of 9.9/10, marking it as critical.
According to Zoom, the issue is a command injection vulnerability in MMR modules prior to version 5.2.1716.0. Exploitation could occur over network access during Zoom Node Meetings, Hybrid deployments, or Meeting Connector sessions.
Zoom recommends all customers update to the latest MMR version to prevent potential attacks. No evidence currently suggests that the vulnerability has been exploited in the wild.
Affected Zoom versions:
- Zoom Node Meetings Hybrid (ZMH) MMR module versions < 5.2.1716.0
- Zoom Node Meeting Connector (MC) MMR module versions < 5.2.1716.0
GitLab Patches Multiple High-Severity Vulnerabilities
In parallel, GitLab released security updates addressing several high-severity flaws in both Community Edition (CE) and Enterprise Edition (EE), including issues that could trigger DoS conditions or allow 2FA bypass.
Key vulnerabilities fixed by GitLab:
- CVE-2025-13927 (CVSS 7.5): An unauthenticated user could cause a DoS by sending malformed authentication requests. Affected versions: 11.9–18.6.4, 18.7–18.7.2, 18.8–18.8.2.
- CVE-2025-13928 (CVSS 7.5): Authorization flaw in the Releases API enabling DoS conditions. Same version ranges affected.
- CVE-2026-0723 (CVSS 7.4): 2FA bypass vulnerability via forged device responses when an attacker knows the victim’s credential ID.
GitLab also remediated medium-severity vulnerabilities that could trigger DoS:
- CVE-2025-13335 (CVSS 6.5): Malformed Wiki documents bypassing cycle detection.
- CVE-2026-1102 (CVSS 5.3): Repeated malformed SSH authentication requests.
Recommendations for Users
Security experts advise:
- Immediately update Zoom MMR modules to version 5.2.1716.0 or later.
- Apply GitLab patches to all affected versions.
- Monitor for unusual login attempts or system behavior, especially in multi-user deployments.
These updates highlight the continued importance of timely patch management for software that supports remote collaboration and development workflows.
