Cisco patches Critical Jabber RCE vulnerability (CVE-2020-3495) and 15 other security fixes

Cisco patches Critical Jabber RCE vulnerability (CVE-2020-3495)

Cisco issued a security advisory and patch for a new Cisco Jabber software RCE vulnerability, as well as security fixes for multiple other products.

The remote code execution (RCE) vulnerability CVE-2020-3495 exists in the Cisco Jabber messaging client for Windows.

“The vulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages to the affected software,” warned Cisco in the advisory.

As a consequence, a remote attacker could exploit the vulnerability and cause the Jabber client to execute arbitrary programs and execute arbitrary code.

The Critical-rated flaw also sports a CVSS score of 9.8, but does not affect Cisco Jabber for MacOS or Cisco Jabber for mobile platforms.

In addition, Cisco also patched a High severity Protocol Handler Command Injection vulnerability CVE-2020-3430 in Cisco Jabber. An attacker could exploit unpatched Jabber software and execute arbitrary commands.

Readers can also check out security firm Watchcom’s blog post for more details on the Jabber vulnerabilities and proof of concept.

Additional Cisco patches

In addition to the Jabber issues, Cisco also patched the following High risk vulnerabilities:

Finally, 11 other Medium severity vulnerabilities, were also patched for multiple Cisco products to include two more Jabber flaws.

The latest advisories come just a day after Cisco issued a security advisory warning of a Cisco IOS XR software zero-day vulnerability CVE-2020-3566 under active exploit in the wild.

Check out the latest Cisco advisories as of September 2, 2020. System and Network administrators should deploy security updates to affected devices as soon as possible.

Related Articles