Zoom and GitLab Release Patches for Critical Vulnerabilities, Including Near-Perfect 9.9 CVSS RCE Flaw in Zoom Node

Zoom & GitLab Race to Patch Critical Flaws, Including a 9.9 CVSS RCE Bug

CRITICAL
January 22, 2026
January 27, 2026
4m read
Patch ManagementVulnerability

Related Entities(initial)

Organizations

Zoom GitLab

Products & Tech

Zoom Node Multimedia Routers (MMRs)

CVE Identifiers

CVE-2026-22844
CRITICAL
CVSS:9.9
CVEDetails.com CVE.org
CVE-2025-13927
HIGH
CVEDetails.com CVE.org
CVE-2025-13928
HIGH
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1499Impact

Endpoint Denial of Service

Full Report(when first published)

Executive Summary

Zoom and GitLab have both released critical security patches to address a range of high-severity vulnerabilities in their products. The most alarming is CVE-2026-22844, a vulnerability in Zoom Node Multimedia Routers (MMRs) with a CVSS score of 9.9, which could allow a remote, unauthenticated attacker to execute arbitrary code. GitLab's update is also significant, fixing multiple flaws including two that could be exploited for Denial-of-Service (DoS) attacks, potentially disrupting critical development and CI/CD pipelines. The releases underscore the persistent threat of vulnerabilities in widely-used collaboration and development platforms, and administrators are strongly advised to apply the updates without delay.

Vulnerabilities Addressed

Zoom

  • CVE-2026-22844: This is a critical remote code execution (RCE) vulnerability affecting Zoom Node Multimedia Routers (MMRs).
    • CVSS Score: 9.9 (Critical)
    • Impact: Allows an attacker with network access to execute arbitrary code on the device, leading to a full compromise.
    • Vector: Network

GitLab

  • CVE-2025-13927 & CVE-2025-13928: These are high-severity vulnerabilities affecting GitLab.
    • Impact: Could allow an unauthenticated attacker to create a Denial-of-Service (DoS) condition.
    • Risk: Disruption of software development, CI/CD pipelines, and source code management.

Other vulnerabilities patched by both vendors include potential two-factor authentication bypasses and other DoS flaws.

Affected Products

  • Zoom: Zoom Node Multimedia Routers (MMRs). Specific affected versions should be confirmed via the official Zoom security bulletin.
  • GitLab: Multiple versions of GitLab Community Edition (CE) and Enterprise Edition (EE). Users should consult the GitLab release post for detailed version information.

Impact Assessment

  • Zoom (CVE-2026-22844): A 9.9 CVSS RCE vulnerability in a core network component like an MMR is a worst-case scenario. A successful exploit could allow an attacker to intercept or manipulate real-time communication traffic, gain a persistent foothold in the corporate network, and pivot to attack other internal systems. The high CVSS score indicates the flaw is likely easy to exploit and requires no user interaction.
  • GitLab (DoS Flaws): While not as severe as RCE, a DoS attack against a central GitLab instance can bring an organization's entire software development lifecycle to a halt. This stops developers from committing code, breaks automated build and deployment pipelines, and can result in significant financial and productivity losses.

Remediation Steps

There are no workarounds for these critical vulnerabilities. The only course of action is to patch.

  1. Update Immediately: Administrators for both Zoom and GitLab must prioritize the installation of the latest security updates. This is the most critical step and aligns with MITRE ATT&CK Mitigation M1051 - Update Software.
  2. Verify Patch Installation: After applying the updates, verify that the new version is running and the systems are no longer vulnerable using scanners or manual checks.
  3. Restrict Access (Interim Control): For the Zoom Node MMRs, ensure that the management interfaces are not exposed to the internet and are only accessible from a trusted management network. This can serve as a temporary compensating control but does not replace the need to patch.

Detection Methods

  • Vulnerability Scanning: Run authenticated and unauthenticated vulnerability scans against your Zoom Node and GitLab infrastructure to identify any instances that are missing the latest security updates.
  • Network Monitoring: Monitor network traffic to and from Zoom Node MMRs for any unusual patterns or connection attempts from untrusted sources that could indicate scanning or exploitation attempts related to CVE-2026-22844.
  • Log Analysis: For GitLab, monitor application and system logs for a sudden spike in errors or resource consumption that could indicate a DoS attack in progress.

Timeline of Events

1
January 22, 2026
This article was published

Article Updates

January 27, 2026

Zoom RCE (CVE-2026-22844) details: command injection, exploitable by authenticated meeting participant. Affected versions (prior to 5.2.1716.0) and detection methods released.

Update Sources:
research.checkpoint.com26th January – Threat Intelligence Report

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

The only effective mitigation is to apply the security updates provided by Zoom and GitLab immediately.

Mapped D3FEND Techniques:

D3-SU

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

Given the critical 9.9 CVSS score for the Zoom vulnerability (CVE-2026-22844) and the high-impact DoS flaws in GitLab, immediate and comprehensive patching is non-negotiable. Organizations must activate their emergency patching procedures. For Zoom Node MMRs, this involves following Zoom's specific update guidance for the hardware. For GitLab, administrators should upgrade their instances to the latest patched version specified in the release announcement. A failure to patch the Zoom flaw could lead to a full network compromise, while ignoring the GitLab update could halt all development operations. These updates should be considered top priority for all security and IT operations teams.

Sources & References(when first published)

Cyware Daily Threat Intelligence, January 22, 2026
Cyware (cyware.com) January 22, 2026
Zoom fixed critical Node Multimedia Routers flaw
Security Affairs (securityaffairs.co) January 21, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

ZoomGitLabRCEDoSVulnerabilityPatchingCritical

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.