Connect with us

Hi, what are you looking for?



Cisco Patches Wormable, Zero-Click Vulnerability in Jabber

Three months after addressing a critical flaw in Jabber for Windows, Cisco released patches for a similar vulnerability in the video conferencing and instant messaging client.

Three months after addressing a critical flaw in Jabber for Windows, Cisco released patches for a similar vulnerability in the video conferencing and instant messaging client.

In early September, the company released fixes for a total of four security bugs in Jabber, the most severe of which featured a CVSS score of 9.9. It allowed attackers to execute arbitrary code remotely, through specially crafted Extensible Messaging and Presence Protocol (XMPP) messages.

Several weeks after patches were issued, Watchcom, the security firm that found the bugs, discovered that the released patches were insufficient. This led to the identification of three new bugs, one of which features a CVSS score of 9.9.

Tracked as CVE-2020-26085, the critical vulnerability is a cross-site scripting (XSS) issue that leads to remote code execution (RCE) on the underlying operating system, with elevated privileges.

Built on the Chromium Embedded Framework (CEF), Jabber uses HTML, CSS, and JavaScript for the UI, along with other technologies. The XSS, Watchcom explains, could be used to escape the CEF sandbox without user interaction.

Furthermore, with the payload delivered via instant messages, the vulnerability is wormable, the security firm explains. The bug, which exists because the content of messages is not properly validated, affects both Jabber for Windows and Jabber for macOS.

“An attacker could exploit this vulnerability by sending specially crafted XMPP messages to the affected software. A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution,” Cisco explains.

Advertisement. Scroll to continue reading.

Watchcom also discovered two medium-severity issues in Jabber (CVE-2020-27132 and CVE-2020-27127). The former can lead to leaking NTLM password hashes, while the latter could result in the attacker sending arbitrary input to the Jabber client, by tricking the user into clicking on a link.

Internally, Cisco identified two other issues in Jabber, both rated high severity. The first of them, CVE-2020-27134 (CVSS score of 8.0), is an arbitrary script injection in Jabber for Windows and Jabber for macOS. Requiring user interaction, the flaw could lead to the execution of arbitrary programs or the leakage of sensitive information.

The second issue, CVE-2020-27133 (CVSS score of 8.8), affects Jabber for Windows and could lead to the execution of arbitrary commands. The attacker needs to convince the user to click on a link.

While there are no workarounds to mitigate these issues, Cisco has addressed them with software updates for the Windows, macOS, Android, and iOS Jabber clients. The company says it is not aware of these flaws being targeted in attacks.

“Since some of the vulnerabilities are wormable, organizations should consider disabling communication with external organizations through Cisco Jabber until all employees have installed the update. This can be done by disabling XMPP federation or configuring a policy for XMPP federation,” Watchcom notes.

Related: Cisco Patches Publicly Disclosed Vulnerabilities in Security Manager

Related: Cisco Patches 17 High-Severity Vulnerabilities in Security Appliances

Related: Cisco Patches 34 High-Severity Vulnerabilities in IOS Software

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.