Tech giants Zoom and GitLab have recently issued urgent security updates to address a constellation of critical vulnerabilities. These patches aim to neutralize threats that could compromise user data through denial-of-service (DoS) attacks and even enable remote code execution. The rapid response highlights the ever-evolving landscape of network security and the proactive measures companies are taking to protect their platforms.
The most severe of these newly disclosed vulnerabilities resides within Zoom’s Node Multimedia Routers (MMRs). This critical flaw, identified as CVE-2026-22844, boasts a near-perfect CVSS score of 9.9 out of 10, indicating a high likelihood of exploitation and significant impact. A meeting participant could potentially leverage this vulnerability to execute arbitrary code on the affected MMR, gaining unauthorized control. The identification of this threat by Zoom’s internal Offensive Security team underscores the importance of robust internal security auditing.
Zoom Addresses Critical Remote Code Execution Vulnerability
Zoom’s official alert details that the command injection vulnerability in older versions of their Node Multimedia Routers could permit a meeting participant to achieve remote code execution on the MMR through network access. This is a significant concern for organizations utilizing Zoom’s infrastructure for hybrid meetings or dedicated meeting connectors. The company strongly advises all customers employing Zoom Node Meetings, Hybrid, or Meeting Connector deployments to update their MMR modules to the latest available version, specifically targeting versions prior to 5.2.1716.0. While there is currently no evidence of this specific flaw being exploited in the wild, prompt patching is crucial to prevent potential future attacks.
This critical vulnerability affects both Zoom Node Meetings Hybrid (ZMH) MMR module versions prior to 5.2.1716.0 and Zoom Node Meeting Connector (MC) MMR module versions prior to 5.2.1716.0. Customers are urged to verify their current version and apply the necessary updates as soon as possible to mitigate this risk and ensure the integrity of their communication environments.
GitLab Patches Multiple High-Severity Security Flaws
In parallel, GitLab has also released security fixes for several high-severity vulnerabilities impacting both its Community Edition (CE) and Enterprise Edition (EE). These issues could lead to denial-of-service conditions and, more alarmingly, allow for the bypass of two-factor authentication (2FA) protections, a critical layer of security for user accounts. The comprehensive patching effort demonstrates GitLab’s commitment to maintaining a secure platform for its vast user base.
Among the disclosed vulnerabilities, CVE-2025-13927 (CVSS score: 7.5) allows an unauthenticated user to create a DoS condition by submitting crafted requests with malformed authentication data. Affecting multiple recent versions, this highlights the need for immediate updates. Similarly, CVE-2025-13928 (CVSS score: 7.5) in the Releases API could also permit unauthenticated users to induce a DoS state. Additionally, CVE-2026-0723 (CVSS score: 7.4) presents a significant risk by enabling individuals with knowledge of a victim’s credential ID to bypass 2FA by submitting forged device responses.
GitLab has also addressed two medium-severity bugs that could also trigger DoS conditions. CVE-2025-13335 (CVSS score: 6.5) involves the configuration of malformed Wiki documents that bypass cycle detection, while CVE-2026-1102 (CVSS score: 5.3) relates to repeated malformed SSH authentication requests. The company’s proactive approach in disclosing and patching these network security vulnerabilities before widespread exploitation is a positive indicator for the broader tech ecosystem.
Moving forward, users of both Zoom and GitLab are strongly encouraged to review the security advisories provided by each company and apply the relevant patches. The ongoing effort to address these security issues is a clear indication that software vendors must continually invest in robust security practices and rapid response mechanisms to stay ahead of emerging threats in the digital landscape.