Zoom and GitLab have released urgent security updates addressing multiple high-severity vulnerabilities that could allow remote code execution (RCE), denial-of-service (DoS) attacks, and two-factor authentication (2FA) bypass.
Zoom MMR Remote Code Execution
The most critical flaw affects Zoom Node Multimedia Routers (MMRs) and carries a CVSS score of 9.9/10. Tracked as CVE-2026-22844, the vulnerability was discovered internally by Zoom’s Offensive Security team.
According to Zoom, a command injection vulnerability in MMR versions prior to 5.2.1716.0 could allow a meeting participant to execute arbitrary code on the router via network access.
- Affected Products:
- Zoom Node Meetings Hybrid (ZMH) MMR modules before 5.2.1716.0
- Zoom Node Meeting Connector (MC) MMR modules before 5.2.1716.0
Zoom has recommended that all customers using Node Meetings, Hybrid, or Meeting Connector deployments update to the latest MMR version immediately. There is no evidence that the flaw has been exploited in the wild.
GitLab Fixes High-Severity DoS and 2FA Bypass Vulnerabilities
At the same time, GitLab patched multiple vulnerabilities in both its Community Edition (CE) and Enterprise Edition (EE) that could lead to DoS or bypass of 2FA protections:
- CVE-2025-13927 (CVSS 7.5): Malformed authentication data could allow unauthenticated users to trigger DoS (affects 11.9 to 18.6.4, 18.7 to 18.7.2, and 18.8 to 18.8.2).
- CVE-2025-13928 (CVSS 7.5): Incorrect authorization in the Releases API could allow unauthenticated users to cause DoS (affects same versions as above).
- CVE-2026-0723 (CVSS 7.4): Attackers with knowledge of a victim’s credential ID could bypass 2FA by submitting forged device responses.
Additionally, GitLab resolved two medium-severity flaws:
- CVE-2025-13335 (CVSS 6.5): DoS through malformed Wiki documents that bypass cycle detection.
- CVE-2026-1102 (CVSS 5.3): DoS via repeated malformed SSH authentication requests.
Users of GitLab CE and EE are advised to update to the patched versions to mitigate these security risks.
These updates underscore the importance of maintaining timely security patching for collaboration and DevOps platforms, as attackers may exploit vulnerabilities in widely used software to gain system access, disrupt services, or bypass authentication mechanisms.
