Zoom and GitLab Release Security Updates Fixing RCE, DoS, and 2FA Bypass Flaws

AndyC 22 January 2026

Ravie LakshmananJan 21, 2026Vulnerability / Network Security

Zoom and GitLab have released security updates to resolve a number of security vulnerabilities that could result in denial-of-service (DoS) and remote code execution.

Zoom and GitLab Release Security Updates Fixing RCE, DoS, and 2FA Bypass Flaws

Zoom and GitLab Release Security Updates Fixing RCE, DoS, and 2FA Bypass Flaws

Ravie LakshmananJan 21, 2026Vulnerability / Network Security

Zoom and GitLab Release Security Updates Fixing RCE, DoS, and 2FA Bypass Flaws

Zoom and GitLab have released security updates to resolve a number of security vulnerabilities that could result in denial-of-service (DoS) and remote code execution.

The most severe of the lot is a critical security flaw impacting Zoom Node Multimedia Routers (MMRs) that could permit a meeting participant to conduct remote code execution attacks. The vulnerability, tracked as CVE-2026-22844 and discovered internally by its Offensive Security team, carries a CVSS score of 9.9 out of 10.0.

“A command injection vulnerability in Zoom Node Multimedia Routers (MMRs) before version 5.2.1716.0 may allow a meeting participant to conduct remote code execution of the MMR via network access,” the company noted in a Tuesday alert.

Zoom is recommending that customers using Zoom Node Meetings, Hybrid, or Meeting Connector deployments update to the latest available MMR version to safeguard against any potential threat.

There is no evidence that the security flaw has been exploited in the wild. The vulnerability affects the following versions –

  • Zoom Node Meetings Hybrid (ZMH) MMR module versions prior to 5.2.1716.0
  • Zoom Node Meeting Connector (MC) MMR module versions prior to 5.2.1716.0
Cybersecurity

GitLab Releases Patches for Severe Flaws

The disclosure comes as GitLab released fixes for multiple high-severity flaws affecting its Community Edition (CE) and Enterprise Edition (EE) that could result in DoS and a bypass of two-factor authentication (2FA) protections. The shortcomings are listed below –

  • CVE-2025-13927 (CVSS score: 7.5) – A vulnerability that could allow an unauthenticated user to create a DoS condition by sending crafted requests with malformed authentication data (Affects all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2)
  • CVE-2025-13928 (CVSS score: 7.5) – An incorrect authorization vulnerability in the Releases API that could allow an unauthenticated user to cause a DoS condition (Affects all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2)
  • CVE-2026-0723 (CVSS score: 7.4) – A vulnerability that could allow an individual with existing knowledge of a victim’s credential ID to bypass 2FA by submitting forged device responses (Affects all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 )

Also remediated by GitLab are two other medium-severity bugs that could also trigger a DoS condition (CVE-2025-13335, CVSS score: 6.5, and CVE-2026-1102, CVSS score: 5.3) by configuring malformed Wiki documents that bypass cycle detection and sending repeated malformed SSH authentication requests, respectively.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

North Korean PurpleBravo Campaign Targeted 3,136 IP Addresses via Fake Job Interviews

North Korean PurpleBravo Campaign Targeted 3,136 IP Addresses via Fake Job Interviews

AndyC 22 January 2026
Webinar: How Smart MSSPs Using AI to Boost Margins with Half the Staff

Webinar: How Smart MSSPs Using AI to Boost Margins with Half the Staff

AndyC 22 January 2026
Exposure Assessment Platforms Signal a Shift in Focus

Exposure Assessment Platforms Signal a Shift in Focus

AndyC 22 January 2026
Chainlit AI Framework Flaws Enable Data Theft via File Read and SSRF Bugs

Chainlit AI Framework Flaws Enable Data Theft via File Read and SSRF Bugs

AndyC 22 January 2026
VoidLink Linux Malware Framework Built with AI Assistance Reaches 88,000 Lines of Code

VoidLink Linux Malware Framework Built with AI Assistance Reaches 88,000 Lines of Code

AndyC 22 January 2026
LastPass Warns of Fake Maintenance Messages Targeting Users’ Master Passwords

LastPass Warns of Fake Maintenance Messages Targeting Users’ Master Passwords

AndyC 21 January 2026

You may have missed

NDSS 2025 – Dissecting Payload-Based Transaction Phishing On Ethereum

ACME flaw in Cloudflare allowed attackers to reach origin servers

AndyC 22 January 2026
Executive Brief: Questions AI is Creating that Security Can’t Answer Today

Executive Brief: Questions AI is Creating that Security Can’t Answer Today

AndyC 22 January 2026
Technical Architecture Guide: Fixing Code Issues Early to Protect Developer Flow

Technical Architecture Guide: Fixing Code Issues Early to Protect Developer Flow

AndyC 22 January 2026
OpenAI to add age verification to ChatGPT

The AI Security Maturity Model for AI-First Development Teams

AndyC 22 January 2026
Jamf has a warning for macOS vibe coders

GDPR violations are rising sharply

AndyC 22 January 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.