Zoom & GitLab Issue Critical Security Patches for RCE, DoS, and 2FA Bypass—January 2026
Executive Summary
In January 2026, Zoom and GitLab simultaneously released critical security updates to mitigate multiple high-severity vulnerabilities uncovered in their respective platforms. Zoom's most impactful flaw, CVE-2026-22844 (CVSS 9.9), affected its Node Multimedia Routers (MMRs), potentially enabling a meeting participant to perform remote code execution via a command injection. GitLab, meanwhile, addressed several vulnerabilities including two denial-of-service (DoS) issues and a two-factor authentication (2FA) bypass flaw (CVE-2026-0723), which could let malicious actors disrupt services or compromise user accounts if they knew credential IDs. While no active exploitation was reported, organizations using Zoom’s Node MMR module and GitLab’s CE/EE deployments were urged to patch immediately to avoid significant business disruption or data compromise.
The disclosure of these vulnerabilities highlights the increasing sophistication and severity of threats targeting software supply chains and critical collaboration platforms. With attackers frequently seeking novel vectors for RCE, DoS, and authentication bypass, timely patching and robust segmentation remain crucial.
Why This Matters Now
Major software platforms are prime targets for attackers seeking large-scale access or disruption, and the convergence of remote code execution and 2FA bypass flaws threatens both data integrity and business continuity. Rapid remediation is critical as vulnerabilities in widely used collaboration and DevOps tools can be weaponized before organizations adapt, potentially driving regulatory scrutiny and reputational damage.
Attack Path Analysis
Attackers exploited critical vulnerabilities in Zoom MMR and GitLab services to gain initial access, likely through remote code execution or authentication bypass. Privilege escalation was attempted via abuse of command injection or bypassed multi-factor authentication in GitLab. With sufficient access, adversaries could attempt lateral movement within the cloud or on-prem environments, pivoting to connected workloads or services. If undetected, attackers might establish command and control channels to maintain persistence or orchestrate follow-on actions. Sensitive data could be exfiltrated through authorized or covert outbound channels. The attack could culminate in disrupting services (DoS), deploying ransomware, modifying configurations, or causing reputational and operational impact.
Kill Chain Progression
Initial Compromise
Description
Adversaries exploited the Zoom Node MMR (CVE-2026-22844) via command injection or abused GitLab's authentication flaws to gain access to internal systems.
Related CVEs
CVE-2026-22844
CVSS 9.9A command injection vulnerability in Zoom Node Multimedia Routers (MMRs) before version 5.2.1716.0 may allow a meeting participant to conduct remote code execution of the MMR via network access.
Affected Products:
Zoom Node Multimedia Router – < 5.2.1716.0
Exploit Status:
no public exploitCVE-2025-13927
CVSS 7.5A vulnerability that could allow an unauthenticated user to create a DoS condition by sending crafted requests with malformed authentication data.
Affected Products:
GitLab Community Edition (CE) – 11.9 to 18.6.3
GitLab Enterprise Edition (EE) – 11.9 to 18.6.3
Exploit Status:
no public exploitCVE-2025-13928
CVSS 7.5An incorrect authorization vulnerability in the Releases API that could allow an unauthenticated user to cause a DoS condition.
Affected Products:
GitLab Community Edition (CE) – 17.7 to 18.6.3
GitLab Enterprise Edition (EE) – 17.7 to 18.6.3
Exploit Status:
no public exploitCVE-2026-0723
CVSS 7.4A vulnerability that could allow an individual with existing knowledge of a victim's credential ID to bypass 2FA by submitting forged device responses.
Affected Products:
GitLab Community Edition (CE) – 18.6 to 18.6.3
GitLab Enterprise Edition (EE) – 18.6 to 18.6.3
Exploit Status:
no public exploitCVE-2025-13335
CVSS 6.5A vulnerability that could trigger a DoS condition by configuring malformed Wiki documents that bypass cycle detection.
Affected Products:
GitLab Community Edition (CE) – All versions
GitLab Enterprise Edition (EE) – All versions
Exploit Status:
no public exploitCVE-2026-1102
CVSS 5.3A vulnerability that could trigger a DoS condition by sending repeated malformed SSH authentication requests.
Affected Products:
GitLab Community Edition (CE) – All versions
GitLab Enterprise Edition (EE) – All versions
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploitation for Client Execution
Exploit Public-Facing Application
Exploitation for Defense Evasion
Valid Accounts
Brute Force: Password Guessing
Modify Authentication Process
Endpoint Denial of Service
Compromise Application Logic
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Users and Administrators
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy and Access Privileges
Control ID: 500.03, 500.07
DORA (Digital Operational Resilience Act) – ICT Risk Management and Vulnerability Handling
Control ID: Art. 9(2), Art. 10(2)
CISA ZTMM 2.0 – Robust Identity and Access Controls; Application Security
Control ID: Identity Pillar 2.2, Devices Pillar 3.4, Applications Pillar 4.1
NIS2 Directive – Access Control, Asset and Vulnerability Management
Control ID: Art. 21(2)(d)-(e)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
GitLab vulnerabilities expose software development infrastructure to DoS attacks and 2FA bypass, compromising code repositories and deployment pipelines critical for software engineering operations.
Information Technology/IT
Zoom MMR remote code execution and GitLab authentication bypass create severe risks for IT infrastructure management, video conferencing systems, and DevOps environments requiring immediate patching.
Financial Services
Critical vulnerabilities in collaboration and development platforms threaten financial institutions' secure communications, code deployment processes, and regulatory compliance requirements including PCI and NIST frameworks.
Health Care / Life Sciences
Zoom RCE and GitLab 2FA bypass vulnerabilities compromise telemedicine platforms and healthcare IT systems, violating HIPAA encryption and access control requirements for patient data protection.
Sources
- Zoom and GitLab Release Security Updates Fixing RCE, DoS, and 2FA Bypass Flawshttps://thehackernews.com/2026/01/zoom-and-gitlab-release-security.htmlVerified
- Zoom Security Bulletin: ZSB-26001https://www.zoom.com/en/trust/security-bulletin/zsb-26001/Verified
- GitLab Patch Release: 18.8.2 Releasedhttps://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust network segmentation, real-time inline IPS, and egress policy enforcement would have restricted unauthorized exploitation, lateral traversal, and blocked sensitive data leakage. Automated anomaly detection and microsegmentation further reduce blast radius and provide auditability of east-west and outbound traffic.
Control: Inline IPS (Suricata)
Mitigation: Detected and blocked known exploit payloads used in active exploitation.
Control: Zero Trust Segmentation
Mitigation: Limited exploit scope and prevented privilege escalation impact beyond authorized boundaries.
Control: East-West Traffic Security
Mitigation: Detected and contained unauthorized internal traffic attempting horizontal movement.
Control: Multicloud Visibility & Control
Mitigation: Anomalous outbound patterns and suspicious automation were detected in real time.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked unauthorized outbound data transfers to untrusted destinations.
Reduced the operational blast radius and accelerated threat detection and response.
Impact at a Glance
Affected Business Functions
- Video Conferencing
- Software Development
- Version Control
Estimated downtime: 2 days
Estimated loss: $500,000
Potential exposure of sensitive meeting content and user credentials due to remote code execution and authentication bypass vulnerabilities.
Recommended Actions
Key Takeaways & Next Steps
- • Accelerate patch deployment for all critical cloud workloads and SaaS platform components, prioritizing network-facing and authentication endpoints.
- • Implement inline IPS and east-west segmentation controls to stop exploits and lateral movement before privilege escalation can occur.
- • Enforce granular, identity-aware network policies and microsegmentation based on role and workload context to contain post-compromise activity.
- • Deploy egress filtering and real-time anomaly detection to identify and block suspicious outbound data movements and C2 communications.
- • Establish continuous multicloud visibility, centralized policy enforcement, and automated incident response to strengthen Zero Trust posture and reduce response times.
