Roundcube email flaw is being exploited, so patch now, US government warns

Pls share this post

Listen to this article

A vulnerability in the Roundcube email server platform is being actively exploited, the US government warns, urging its bodies to apply the patch and secure their instances sooner, rather than later.

In a security advisory, the Cybersecurity and Infrastructure Security Agency (CISA) said that a persistent cross-site scripting (XSS) bug is being actively exploited in the wild. The bug, tracked as CVE-2023-43770, is abused via a custom-built plain/text messages and links. 

The flaw affects Roundcube email servers versions between 1.4.14 and 1.5.4 and  versions between 1.6.0 and 1.6.3. The patch was released roughly half a year ago. CISA also said that U.S. Federal Civilian Executive Branch (FCEB) agencies have until March 4 to patch the vulnerability and secure their endpoints. 

READ ALSO  Firm behind software used by AMD, Nvidia to make GPU and CPUs quietly unveils its own supercomputer — as it appears to emulate Apple by bringing hardware and software closer together

Private sector at risk, too

While CISA focuses solely on government agencies, that doesn’t mean private sector organizations aren’t at risk, too. 

A BleepingComputer report says that there are currently more than 130,000 Roundcube servers on the internet right now. There’s no telling how many of these are vulnerable to the cross-site scripting vulnerability. 

The same publication also states that there was a similar Roundcube flaw (cross-site scripting), tracked as CVE-2023-5631. This one was abused, as a zero-day, by a Russian threat actor known as Winter Vivern. The campaign apparently started on October 11 last year, and resulted in the hackers stealing emails from compromised Roundcube webmail servers belonging to government entities and think tanks in Europe.

READ ALSO  Storage startup uses your GPU to create virtual super fast SSD — but for some reason, it is not yet compatible with Intel and AMD tech

Roundcube is a web-based IMAP email client, whose most popular feature is the pervasive use of Ajax technology. The product is free and open source, subject to the terms of the GNU General Public License (except for skins and plugins). It was initially released in 2008, 16 years ago. 

More from TechRadar Pro


Pls share this post
Previous articleApple is ramping up its fight against malware
Next articleJeff Bezos is reportedly interested in buying more Miami real estate. Take a look at all the lavish US properties he owns.