PatchSiren cyber security CVE debrief

CVE-2017-5606 Xabber CVE debrief

CVE-2017-5606 is a medium-severity XMPP client flaw affecting Xabber Android builds listed by NVD as vulnerable when Message Carbons is manually enabled. The issue can let a remote attacker make the app display messages as if they came from another user, including contacts, which creates a social-engineering risk rather than direct code execution or data loss.

Vendor: Xabber
Product: CVE-2017-5606
CVSS: MEDIUM 5.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-09
Original CVE updated: 2026-05-13
Advisory published: 2017-02-09
Advisory updated: 2026-05-13

Who should care

Organizations and individuals using Xabber on Android, especially deployments where XEP-0280 Message Carbons was manually enabled. Messaging support teams and mobile app administrators should also care because the flaw can mislead users through impersonated message displays.

Technical summary

NVD describes an incorrect implementation of XEP-0280 Message Carbons in multiple XMPP clients. For Xabber Android, the vulnerable scope includes versions up to 1.0.30 and 1.0.30 VIP, with the issue noted as applying only if Message Carbons is manually enabled. The attack is network-based and requires no privileges or user interaction, but the CVSS vector shows high attack complexity and integrity impact only (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). The practical effect is display impersonation in the client UI, which can be used for social engineering.

Defensive priority

Medium. The flaw is remotely reachable and can undermine trust in message authenticity, but NVD rates it as high-complexity with integrity-only impact and no availability or confidentiality impact.

Recommended defensive actions

Review whether XEP-0280 Message Carbons is enabled in Xabber Android deployments; disable it if it is not required.
Treat unexpected sender identity changes in chat clients as suspicious and verify sensitive requests through an independent channel.
Restrict reliance on client-side display names or message origin indicators for security decisions.
Check vendor and NVD guidance for a fixed Xabber release before continuing use of affected builds.
Monitor user reports for spoofed-message behavior and document any environments still running affected versions.

Evidence notes

This debrief is based on the supplied NVD record and linked references only. The NVD metadata lists affected Xabber Android CPEs and the CVSS v3.1 vector. The CVE description states that incorrect XEP-0280 Message Carbons handling can allow remote impersonation in the application's display and specifically notes Xabber Android as affected only when Message Carbons is manually enabled. No KEV entry is listed in the provided enrichment data.

Official resources

CVE-2017-5606 CVE record
CVE.org
CVE-2017-5606 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Exploit, Technical Description, Third Party Advisory
Mitigation or vendor reference
[email protected] - Exploit, Technical Description, Third Party Advisory

Publicly disclosed on 2017-02-09, based on the CVE and source record dates supplied here. The 2026 modified timestamp reflects metadata updates, not the original issue date.