Your Windows version of Cisco Jabber poses a security risk

On September 2nd, 2020, Cisco issued a Critical Security Advisory announcement regarding Cisco’s Jabber for Windows that customers should be aware of. A vulnerability in Cisco Jabber for Windows could allow an authenticated, remote attackers to execute arbitrary code. Attackers could achieve remote code execution by sending specially crafted chat messages.

To exploit this vulnerability, an attacker must be able to send XMPP messages to end-user systems running Cisco Jabber for Windows. Attackers may require access to the same XMPP domain or an-other method of access to be able to send messages to clients.

The issue has the follow advisory code: CVE-2020-3495

The vulnerabilities affect all currently supported versions of the Cisco Jabber client for Windows (12.1 – 12.9). Systems using Cisco Jabber in phone-only mode (without XMPP messaging services enabled) are not vulnerable to exploitation. There are no workarounds that address this vulnerability.

What Should You Do if Your Version of Jabber is Impacted?

Any customers running an affected version of Jabber, should upgrade as soon as possible. See the fixes in the table below:

• Users operating version 12.1 should upgrade to 12.1.3
• Users operating version 12.5 should upgrade to 12.5.2
• Users operating version 12.6 should upgrade to 12.6.3
• Users operating version 12.7 should upgrade to 12.7.2
• Users operating version 12.8 should upgrade to 12.8.3
• Users operating version 12.9 should upgrade to 12.9.1

The latest versions can be downloaded from the following URL:

https://software.cisco.com/download/home/284324806/type/284006014/release/

If this vulnerability applies to you, it’s time to update. If you have any questions or would like to talk to a OneNeck expert about Cisco Jabber, we are here to help…

Keep Moving Forward. We Got Your Back.

Additional Resources: