Zoom and GitLab Release Security Updates Fixing RCE, DoS, and 2FA Bypass Flaws

Zoom and GitLab have both released urgent security updates to address a range of critical vulnerabilities that could expose their users to remote code execution, denial-of-service attacks, and two-factor authentication bypass. These patches come as organizations increasingly rely on these platforms for collaboration and development workflows, making timely remediation essential for maintaining security posture.

Zoom's Critical Command Injection Flaw

The most severe vulnerability disclosed is a critical command injection flaw in Zoom's Node Multimedia Routers (MMRs), tracked as CVE-2026-22844. This vulnerability carries a CVSS score of 9.9 out of 10.0, indicating it poses an extreme risk to affected systems. The flaw was discovered internally by Zoom's Offensive Security team and affects MMR versions prior to 5.2.1716.0.

The vulnerability exists in the command processing functionality of Zoom's MMR components, which handle media routing for Zoom meetings. According to Zoom's security advisory, "A command injection vulnerability in Zoom Node Multimedia Routers (MMRs) before version 5.2.1716.0 may allow a meeting participant to conduct remote code execution of the MMR via network access."

This means that a malicious participant in a Zoom meeting could potentially execute arbitrary commands on the MMR server, giving them control over the media routing infrastructure. The attack vector is particularly concerning because it doesn't require sophisticated social engineering—simply joining a meeting could provide an attacker with the opportunity to exploit the vulnerability.

Zoom's MMR technology is used in several deployment scenarios:

• Zoom Node Meetings Hybrid (ZMH): For organizations that need to keep meeting traffic on-premises while using Zoom's cloud services
• Zoom Node Meeting Connector (MC): For hybrid deployments that connect on-premises infrastructure to Zoom's cloud

The company has emphasized that there is currently no evidence of this vulnerability being exploited in the wild, but the severity score and potential impact warrant immediate attention from affected organizations.

Practical Recommendations for Zoom Users

Organizations using Zoom Node deployments should take the following steps:

1. Immediate Update: Update all Zoom Node MMR modules to version 5.2.1716.0 or later. This update is available through the standard Zoom deployment channels.

2. Inventory Check: Verify which Zoom deployment models your organization uses. The vulnerability specifically affects:

   • Zoom Node Meetings Hybrid MMR modules (all versions before 5.2.1716.0)
   • Zoom Node Meeting Connector MMR modules (all versions before 5.2.1716.0)

3. Network Segmentation: If immediate updating isn't feasible, consider isolating Zoom Node infrastructure from general network access and limiting meeting participant capabilities until patches can be applied.

4. Monitoring: Implement enhanced monitoring for unusual activity on MMR servers, particularly unexpected command execution or media routing anomalies.

GitLab's Multi-Faceted Security Update

Simultaneously, GitLab released patches for multiple high-severity vulnerabilities affecting both its Community Edition (CE) and Enterprise Edition (EE). These vulnerabilities span several attack vectors, from denial-of-service conditions to authentication bypasses.

Critical Denial-of-Service Vulnerabilities

Two vulnerabilities (CVE-2025-13927 and CVE-2025-13928) both carry CVSS scores of 7.5 and enable unauthenticated users to trigger denial-of-service conditions through crafted requests:

• CVE-2025-13927: A vulnerability in authentication data processing that allows unauthenticated users to create DoS conditions by sending requests with malformed authentication data. This affects all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2.

• CVE-2025-13928: An incorrect authorization vulnerability in the Releases API that similarly allows unauthenticated users to cause DoS conditions. This affects all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2.

These vulnerabilities are particularly dangerous because they don't require authentication, meaning any attacker on the internet could potentially disrupt GitLab services for an organization.

Two-Factor Authentication Bypass

Perhaps the most concerning vulnerability for security-conscious organizations is CVE-2026-0723, which carries a CVSS score of 7.4. This vulnerability allows an attacker with existing knowledge of a victim's credential ID to bypass two-factor authentication by submitting forged device responses.

The attack works by exploiting a flaw in GitLab's 2FA verification process. If an attacker obtains a user's credential ID (which could be gathered through various means, including phishing or social engineering), they can craft malicious device responses that the system accepts as valid, effectively bypassing the second authentication factor.

This vulnerability affects all GitLab versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2. The implications are significant for organizations that rely on GitLab's 2FA as a critical security control for protecting source code and development workflows.

Additional Medium-Severity Issues

GitLab also addressed two medium-severity vulnerabilities that could trigger DoS conditions:

• CVE-2025-13335 (CVSS 6.5): Allows DoS through malformed Wiki documents that bypass cycle detection mechanisms
• CVE-2026-1102 (CVSS 5.3): Enables DoS via repeated malformed SSH authentication requests

Understanding the Impact

For Zoom Deployments

The Zoom vulnerability represents a significant risk for organizations using on-premises or hybrid meeting infrastructure. Unlike cloud-only Zoom deployments, where Zoom manages the infrastructure, Node deployments place media routing components within the organization's network perimeter. This means:

• Internal Network Exposure: The vulnerable MMR components are typically accessible from the internal network, potentially allowing lateral movement if compromised
• Meeting Security: A compromised MMR could potentially allow an attacker to intercept or manipulate meeting media streams
• Infrastructure Trust: Organizations often treat internal infrastructure as more trusted than external services, which could lead to relaxed monitoring

For GitLab Environments

The GitLab vulnerabilities affect a wide range of deployment scenarios:

• Self-Hosted Installations: Organizations running their own GitLab instances must apply patches directly
• GitLab.com Users: GitLab's cloud service has been patched, but users should verify their instance is running the latest version
• CI/CD Pipelines: DoS vulnerabilities could disrupt development workflows, particularly in automated deployment scenarios

The 2FA bypass vulnerability is especially critical for organizations that:

• Require 2FA for all developers accessing code repositories
• Use GitLab for managing sensitive projects or intellectual property
• Have compliance requirements mandating multi-factor authentication

Technical Deep Dive: How These Vulnerabilities Work

Command Injection in Zoom MMR

Command injection vulnerabilities typically occur when user input is passed directly to system command execution functions without proper sanitization. In the context of Zoom's MMR, the vulnerability likely exists in how the router processes meeting participant requests or media routing instructions.

The attack flow would typically involve:

1. A meeting participant sends specially crafted data through the meeting interface
2. The MMR processes this data as part of normal media routing operations
3. The input bypasses sanitization checks and is executed as a system command
4. The attacker gains remote code execution on the MMR server

This type of vulnerability is particularly dangerous in media processing systems because they often run with elevated privileges to handle real-time audio and video streams.

GitLab's 2FA Bypass Mechanism

The 2FA bypass in GitLab (CVE-2026-0723) likely exploits a flaw in the device response validation process. Modern 2FA implementations typically involve:

1. Credential ID Generation: When a user sets up 2FA, the system generates a unique credential ID
2. Challenge-Response: The system sends a challenge to the user's 2FA device
3. Device Response: The device computes and sends back a response based on the challenge and a secret key
4. Validation: The system verifies the response using the stored secret and credential ID

The vulnerability suggests that GitLab's validation process didn't properly verify that the response was generated by the legitimate device associated with the credential ID, allowing an attacker to forge responses if they knew the credential ID.

Broader Security Implications

These vulnerabilities highlight several important trends in enterprise software security:

1. The Persistence of Classic Vulnerabilities

Despite decades of awareness, command injection and authentication bypass vulnerabilities continue to appear in major enterprise software. This underscores the importance of:

• Defense in Depth: Relying on multiple security controls rather than single points of failure
• Regular Security Audits: Continuous testing of authentication and authorization mechanisms
• Input Validation: Rigorous sanitization of all user-supplied input, especially in network-facing components

2. The Complexity of Hybrid Deployments

Zoom's MMR vulnerability specifically affects hybrid deployments, which are increasingly common as organizations balance security, compliance, and cost. These deployments introduce additional complexity:

• Mixed Trust Boundaries: Internal and external components with different security postures
• Update Coordination: Multiple components that must be updated simultaneously
• Network Configuration: Complex firewall rules and access controls

3. The Critical Role of Authentication Systems

The GitLab 2FA bypass demonstrates how vulnerabilities in authentication systems can undermine other security controls. Organizations should:

• Monitor Authentication Logs: Look for unusual patterns that might indicate bypass attempts
• Implement Additional Controls: Consider hardware security keys or biometric authentication as complements to software-based 2FA
• Regular Security Reviews: Periodically assess the security of authentication mechanisms

Remediation Strategy

Immediate Actions

1. Patch Management: Apply the latest security updates for both Zoom and GitLab installations
2. Risk Assessment: Evaluate which systems are most critical and prioritize remediation accordingly
3. Temporary Mitigations: If immediate patching isn't possible, implement network-level controls to limit exposure

Long-Term Considerations

1. Vulnerability Management Program: Establish a systematic approach to tracking and remediating vulnerabilities
2. Security Testing: Regular penetration testing and vulnerability scanning of all enterprise applications
3. Vendor Communication: Maintain relationships with software vendors to receive timely security advisories

Conclusion

The simultaneous disclosure of vulnerabilities in Zoom and GitLab serves as a reminder that even widely-used, enterprise-grade software is not immune to security flaws. The severity of these vulnerabilities—particularly the 9.9 CVSS score for Zoom's command injection flaw—demands immediate attention from affected organizations.

For Zoom users, the priority is updating Node MMR components to version 5.2.1716.0 or later. For GitLab users, patching to versions 18.6.4, 18.7.2, or 18.8.2 (depending on the current version) is essential, especially to address the 2FA bypass vulnerability.

These incidents also reinforce the importance of maintaining comprehensive security practices: regular updates, network segmentation, monitoring, and defense-in-depth strategies. In an era where collaboration and development tools are central to business operations, their security cannot be an afterthought.

Organizations should use these disclosures as an opportunity to review their security posture, not just for these specific products, but for all enterprise software in their environment. The most effective security strategy combines timely patching with robust monitoring, access controls, and incident response capabilities.