Wormable nasty still doesn't need any user input to pwn target devices Gareth Corfield Thu 10 Dec 2020 // 17:30 UTC Share Copy A previous patch for Cisco's Jabber chat product did not in fact fix four vulnerabilities – including one remote code execution (RCE) flaw that would allow malicious people to hijack targeted devices by sending a carefully crafted message. Norwegian infosec biz Watchcom spotted the vulnerabilities, having been asked by a client to verify that a previous patch for CVE-2020-26085 worked as advertised. Instead Watchcom found that the September update didn't fix the underlying problems. A cross-site scripting (XSS) vuln leading to an RCE, CVE-2020-26085 was rated at 9.9 on the 10-point CVSS v3 scale, falling squarely into the "critical" bracket. It was uncovered by Watchcom in June this year and Cisco issued patches on 2 September that allegedly fixed it, as well as three other vulns.