Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Roundcube email flaw is being exploited, so patch now, US government warns

A laptop showing lots of email notifications.

A vulnerability in the Roundcube email server platform is being actively exploited, the US government warns, urging its bodies to apply the patch and secure their instances sooner, rather than later.

In a security advisory, the Cybersecurity and Infrastructure Security Agency (CISA) said that a persistent cross-site scripting (XSS) bug is being actively exploited in the wild. The bug, tracked as CVE-2023-43770, is abused via a custom-built plain/text messages and links. 

The flaw affects Roundcube email servers versions between 1.4.14 and 1.5.4 and  versions between 1.6.0 and 1.6.3. The patch was released roughly half a year ago. CISA also said that U.S. Federal Civilian Executive Branch (FCEB) agencies have until March 4 to patch the vulnerability and secure their endpoints. 

Private sector at risk, too

While CISA focuses solely on government agencies, that doesn’t mean private sector organizations aren’t at risk, too. 

A BleepingComputer report says that there are currently more than 130,000 Roundcube servers on the internet right now. There’s no telling how many of these are vulnerable to the cross-site scripting vulnerability. 

The same publication also states that there was a similar Roundcube flaw (cross-site scripting), tracked as CVE-2023-5631. This one was abused, as a zero-day, by a Russian threat actor known as Winter Vivern. The campaign apparently started on October 11 last year, and resulted in the hackers stealing emails from compromised Roundcube webmail servers belonging to government entities and think tanks in Europe.

Roundcube is a web-based IMAP email client, whose most popular feature is the pervasive use of Ajax technology. The product is free and open source, subject to the terms of the GNU General Public License (except for skins and plugins). It was initially released in 2008, 16 years ago. 

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.