A critical command injection vulnerability has been discovered in Zoom Node Multimedia Routers (MMRs), the core infrastructure responsible for processing meeting traffic. This flaw allows a malicious participant within a meeting to take complete control of the server, potentially leading to service disruption, data theft, and further intrusion into the corporate network. Due to the high severity and potential impact, immediate remediation is strongly advised.

This is a command injection vulnerability that can be triggered by a meeting participant. An attacker can send specially crafted data packets during a meeting session to the MMR. The server fails to properly sanitize this input, interpreting it as a system command and executing it with the privileges of the MMR service. This allows for unauthenticated remote code execution (RCE) on the underlying server by anyone who can join a meeting hosted on a vulnerable MMR.

This vulnerability is rated as critical with a CVSS score of 9.9, representing an extremely high risk to the organization. Successful exploitation could lead to a complete compromise of the affected Zoom Node Multimedia Router. The business impact includes the potential for eavesdropping on sensitive meetings, theft of proprietary data, disruption of critical communication services, and the use of the compromised server as a pivot point to launch further attacks against the internal corporate network.

Immediate Action: Update all affected Zoom Node Multimedia Routers to version 5.2.1716.0 or later as recommended by the vendor. After patching, monitor system logs for any signs of compromise that may have occurred prior to the update. Review access logs for any unusual meeting participant activity.

Proactive Monitoring:

• Log Analysis: Scrutinize MMR service logs for unusual commands, errors, or unexpected process execution. Monitor system-level logs on the server for anomalous activity originating from the MMR service account.
• Network Traffic: Monitor for unexpected outbound connections from MMR servers to unknown IP addresses, which could indicate a reverse shell or data exfiltration.
• System Behavior: Implement host-based monitoring to detect unexpected file creation, modification, or high CPU/memory usage on MMR servers.

Compensating Controls:

• Network Segmentation: Isolate MMRs in a dedicated network segment (DMZ) with strict firewall rules that limit their ability to initiate connections to other critical internal systems.
• Egress Filtering: Implement strict egress firewall rules to block all outbound traffic from MMRs except for what is explicitly required for operation. This can prevent command-and-control (C2) communication.
• Intrusion Detection/Prevention System (IDS/IPS): Deploy network security tools with signatures capable of detecting and blocking common command injection attack patterns.

Public Exploit Available: false

Given the critical severity (CVSS 9.9) of this remote code execution vulnerability, immediate action is required. Organizations must prioritize the deployment of the vendor-supplied patch for all affected Zoom Node Multimedia Routers. Although this vulnerability is not yet listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high impact and potential for widespread exploitation make it a significant threat. All vulnerable systems should be patched or have compensating controls applied immediately to prevent a potential compromise.