Executive Summary:
A critical command injection vulnerability has been discovered in Zoom Node Multimedia Routers (MMRs), the core infrastructure responsible for processing meeting traffic. This flaw allows a malicious participant within a meeting to take complete control of the server, potentially leading to service disruption, data theft, and further intrusion into the corporate network. Due to the high severity and potential impact, immediate remediation is strongly advised.

Vulnerability Details

CVE-ID: CVE-2026-22844

Affected Software: Zoom Node Multimedia Routers (MMRs)

Affected Versions: All versions before 5.2.1716.0

Vulnerability: This is a command injection vulnerability that can be triggered by a meeting participant. An attacker can send specially crafted data packets during a meeting session to the MMR. The server fails to properly sanitize this input, interpreting it as a system command and executing it with the privileges of the MMR service. This allows for unauthenticated remote code execution (RCE) on the underlying server by anyone who can join a meeting hosted on a vulnerable MMR.

Business Impact

This vulnerability is rated as critical with a CVSS score of 9.9, representing an extremely high risk to the organization. Successful exploitation could lead to a complete compromise of the affected Zoom Node Multimedia Router. The business impact includes the potential for eavesdropping on sensitive meetings, theft of proprietary data, disruption of critical communication services, and the use of the compromised server as a pivot point to launch further attacks against the internal corporate network.

Remediation Plan

Immediate Action:
Update all affected Zoom Node Multimedia Routers to version 5.2.1716.0 or later as recommended by the vendor. After patching, monitor system logs for any signs of compromise that may have occurred prior to the update. Review access logs for any unusual meeting participant activity.

Proactive Monitoring:

• Log Analysis: Scrutinize MMR service logs for unusual commands, errors, or unexpected process execution. Monitor system-level logs on the server for anomalous activity originating from the MMR service account.
• Network Traffic: Monitor for unexpected outbound connections from MMR servers to unknown IP addresses, which could indicate a reverse shell or data exfiltration.
• System Behavior: Implement host-based monitoring to detect unexpected file creation, modification, or high CPU/memory usage on MMR servers.

Compensating Controls:

• Network Segmentation: Isolate MMRs in a dedicated network segment (DMZ) with strict firewall rules that limit their ability to initiate connections to other critical internal systems.
• Egress Filtering: Implement strict egress firewall rules to block all outbound traffic from MMRs except for what is explicitly required for operation. This can prevent command-and-control (C2) communication.
• Intrusion Detection/Prevention System (IDS/IPS): Deploy network security tools with signatures capable of detecting and blocking common command injection attack patterns.

Exploitation Status

Public Exploit Available: false

Analyst Notes:
As of Jan 20, 2026, there are no known public exploits or active attacks leveraging this vulnerability. However, given the critical severity (CVSS 9.9) and the relative simplicity of the attack vector (requiring only meeting participant access), it is highly probable that threat actors will develop a functional exploit in the near future. Organizations should assume this vulnerability will be exploited.

Analyst Recommendation

Given the critical severity (CVSS 9.9) of this remote code execution vulnerability, immediate action is required. Organizations must prioritize the deployment of the vendor-supplied patch for all affected Zoom Node Multimedia Routers. Although this vulnerability is not yet listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high impact and potential for widespread exploitation make it a significant threat. All vulnerable systems should be patched or have compensating controls applied immediately to prevent a potential compromise.

Executive Summary:
A high-severity vulnerability has been discovered in a component used by multiple Zoom products, identified as CVE-2025-47553. This flaw allows an unauthenticated, remote attacker to send specially crafted data to the application, which could result in arbitrary code execution and a complete compromise of the affected system. Due to the critical nature and high CVSS score of 8.8, immediate remediation is strongly recommended to prevent potential data breaches and system takeovers.

Vulnerability Details

CVE-ID: CVE-2025-47553

Affected Software: zoom Multiple Products

Affected Versions: See vendor advisory for specific affected versions

Vulnerability: This vulnerability is classified as Deserialization of Untrusted Data. The affected component, DZS Video Gallery, improperly validates data it receives before deserializing it. An attacker can exploit this by crafting a malicious serialized data object and sending it to the application. When the application processes this data, it deserializes it back into an object in memory, which triggers the "Object Injection" and executes arbitrary code with the permissions of the Zoom application service.

Business Impact

This is a High severity vulnerability with a CVSS score of 8.8. Successful exploitation could have a severe impact on the organization, leading to a full system compromise. The primary risks include the exfiltration of sensitive data processed by the Zoom application, disruption of service, and the ability for an attacker to use the compromised system as a pivot point to move laterally within the corporate network. This could result in significant financial loss, reputational damage, and regulatory penalties depending on the data compromised.

Remediation Plan

Immediate Action:

• Identify all systems running the affected Zoom products.
• Apply the security updates provided by the vendor immediately, prioritizing internet-facing systems.
• After patching, monitor application and system logs for any signs of post-remediation exploitation attempts or indicators of a prior compromise.

Proactive Monitoring:

• Log Analysis: Review application and web server logs for unusual or malformed requests directed at the DZS Video Gallery component. Look for deserialization error messages or unexpected process executions spawned by the Zoom service.
• Network Monitoring: Monitor network traffic for anomalous outbound connections from servers running the affected software, which could indicate a command-and-control (C2) channel.
• Endpoint Detection and Response (EDR): Ensure EDR solutions are monitoring for suspicious process chains or command-line arguments originating from the Zoom application process.

Compensating Controls:

• Web Application Firewall (WAF): If immediate patching is not feasible, implement strict WAF rules to inspect and block known malicious serialized object patterns.
• Network Segmentation: Isolate servers running the vulnerable software from other critical network segments to limit an attacker's ability to move laterally.
• Principle of Least Privilege: Ensure the service account running the Zoom application has the minimum permissions necessary for its operation.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of January 7, 2026, there are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability. However, deserialization vulnerabilities are a well-understood class of bug, and given the high CVSS score, it is highly probable that threat actors and security researchers will develop exploit code in the near future by reverse-engineering the vendor's patch.

Analyst Recommendation

The high severity of this vulnerability warrants immediate and decisive action. Organizations are strongly advised to prioritize the deployment of vendor-supplied patches across all affected assets. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its potential for enabling remote code execution makes it an attractive target for attackers. Proactive patching is the most effective defense and is critical to mitigating the risk of a significant security breach.

Executive Summary:
A critical vulnerability has been identified in the Digital zoom studio (DZS) Video Gallery software, assigned CVE-2025-47552. This flaw, rated with a CVSS score of 9.8, allows an unauthenticated remote attacker to take complete control of an affected server by sending specially crafted data. Successful exploitation could lead to total system compromise, data theft, and significant service disruption.

Vulnerability Details

CVE-ID: CVE-2025-47552

Affected Software: Digital zoom studio DZS Video Gallery

Affected Versions: All versions up to and including 12.37

Vulnerability: The software is vulnerable to Deserialization of Untrusted Data. An attacker can send a malicious, serialized data payload to the application. When the application processes this data, it improperly deserializes it into an object in memory, which triggers the execution of embedded malicious code. This "Object Injection" allows the attacker to achieve Remote Code Execution (RCE) on the server with the permissions of the web application, leading to a full system compromise.

Business Impact

This vulnerability presents a critical risk to the organization, reflected by its CVSS score of 9.8. A successful exploit could allow an attacker to gain complete control over the affected server, leading to severe consequences such as the theft of sensitive business or customer data, deployment of ransomware, disruption of critical services hosted on the server, and using the compromised system as a pivot point to launch further attacks against the internal network. The potential for reputational damage and financial loss is extremely high.

Remediation Plan

Immediate Action: Immediately update the DZS Video Gallery software on all affected systems to the latest version provided by the vendor (a version higher than 12.37). After patching, it is crucial to monitor systems for any signs of exploitation that may have occurred prior to the update and review access logs for suspicious activity.

Proactive Monitoring: Implement enhanced monitoring on affected systems. Look for unusual patterns in web server access logs, such as unexpected or malformed POST requests. Monitor for unexpected processes being spawned by the web server application, unusual outbound network connections, and application error logs that may indicate failed deserialization attempts.

Compensating Controls: If immediate patching is not feasible, implement compensating controls. Place the affected application behind a Web Application Firewall (WAF) with rules specifically designed to inspect and block malicious serialized objects. Restrict network access to the application, allowing connections only from trusted IP addresses. Ensure the application is running with the principle of least privilege to limit the potential impact of a compromise.

Exploitation Status

Public Exploit Available: false

Analyst Notes: As of Jan 7, 2026, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, due to the critical severity and the nature of the flaw (RCE), it is highly probable that threat actors will develop and deploy exploits in the near future.

Analyst Recommendation

Given the critical severity (CVSS 9.8) of this vulnerability and its potential for complete system compromise, immediate action is required. We strongly recommend that all instances of DZS Video Gallery version 12.37 and earlier are patched to the latest version without delay. Although this vulnerability is not currently listed on the CISA KEV list, its high score indicates it should be treated with the highest priority. Systems should be considered compromised if any evidence of exploitation is found during log review.

Executive Summary:
A critical vulnerability has been identified in PTZOptics and other ValueHD-based camera products, stemming from hard-coded administrative credentials. This flaw allows an unauthenticated attacker to easily gain complete control of affected cameras, potentially leading to unauthorized surveillance, network compromise, and operational disruption. Due to the ease of exploitation and the critical impact, immediate remediation is strongly advised.

Vulnerability Details

CVE-ID: CVE-2025-35451

Affected Software: PTZOptics and possibly other Multiple Products

Affected Versions: See vendor advisory for specific affected versions

Vulnerability: Affected pan-tilt-zoom (PTZ) cameras are manufactured with hard-coded, default administrative credentials. An attacker can connect to the camera's exposed SSH or telnet services over the network and authenticate using these known or easily crackable credentials. Successful exploitation grants the attacker root-level or administrative access, allowing them to view and manipulate video feeds, alter device configurations, install malicious software, or use the compromised camera as a pivot point to attack other systems on the internal network.

Business Impact

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have a severe impact on the organization, leading to significant security and operational risks. An attacker could compromise physical security by disabling or manipulating camera feeds to hide illicit activities. The breach of confidentiality through unauthorized access to video surveillance can result in espionage, privacy violations, and reputational damage. Furthermore, compromised cameras are frequently co-opted into botnets, which can be used to launch large-scale Distributed Denial-of-Service (DDoS) attacks, consuming network resources and potentially causing widespread service outages.

Remediation Plan

Immediate Action:
The primary remediation step is to update the firmware on all affected PTZOptics and other ValueHD-based cameras to the latest version provided by the vendor. This update is expected to remove the hard-coded credentials and enforce a unique password policy. In parallel, security teams should actively monitor for any signs of exploitation and review historical access logs for unauthorized logins via SSH or telnet.

Proactive Monitoring:

• Log Analysis: Scrutinize system and access logs for successful administrative logins from unknown or suspicious IP addresses, particularly over SSH (port 22) and telnet (port 23).
• Network Traffic: Monitor for anomalous network traffic originating from the cameras, such as connections to known command-and-control (C2) servers or participation in DDoS attacks (e.g., large volumes of UDP or TCP SYN traffic).
• Configuration Integrity: Regularly check for unauthorized configuration changes, new user accounts, or unexpected services running on the devices.

Compensating Controls:
If immediate patching is not feasible, implement the following controls to mitigate risk:

• Network Segmentation: Isolate cameras on a dedicated VLAN with strict firewall rules that only permit access from authorized management stations and video recording systems.
• Access Restriction: Explicitly block all inbound internet access to the cameras' management interfaces (SSH, telnet, web).
• Password Change: If the device firmware allows, immediately change any default passwords to strong, unique credentials.

Exploitation Status

Public Exploit Available: True

Analyst Notes:
As of Sep 5, 2025, there are no specific, widespread exploitation campaigns publicly attributed to this CVE. However, vulnerabilities involving hard-coded credentials are trivial to exploit and are rapidly weaponized by threat actors for automated scanning and botnet recruitment. The technical details required to exploit this vulnerability are public, meaning any attacker can attempt to gain access.

Analyst Recommendation
Given the critical CVSS score of 9.8 and the trivial nature of exploitation, this vulnerability poses an immediate and significant threat to the organization. We strongly recommend that all affected devices be patched immediately. Although this CVE is not currently on the CISA KEV list, its characteristics make it a prime candidate for future inclusion. If patching cannot be performed immediately, the compensating controls outlined above, especially network segmentation and blocking external access, must be implemented without delay to prevent a compromise.