A vulnerability in the Roundcube email server platform is being actively exploited, the US government warns, urging its bodies to apply the patch and secure their instances sooner, rather than later.
In a security advisory, the Cybersecurity and Infrastructure Security Agency (CISA) said that a persistent cross-site scripting (XSS) bug is being actively exploited in the wild. The bug, tracked as CVE-2023-43770, is abused via a custom-built plain/text messages and links.
The flaw affects Roundcube email servers versions between 1.4.14 and 1.5.4 and versions between 1.6.0 and 1.6.3. The patch was released roughly half a year ago. CISA also said that U.S. Federal Civilian Executive Branch (FCEB) agencies have until March 4 to patch the vulnerability and secure their endpoints.
Private sector at risk, too
While CISA focuses solely on government agencies, that doesn’t mean private sector organizations aren’t at risk, too.
A BleepingComputer report says that there are currently more than 130,000 Roundcube servers on the internet right now. There’s no telling how many of these are vulnerable to the cross-site scripting vulnerability.
The same publication also states that there was a similar Roundcube flaw (cross-site scripting), tracked as CVE-2023-5631. This one was abused, as a zero-day, by a Russian threat actor known as Winter Vivern. The campaign apparently started on October 11 last year, and resulted in the hackers stealing emails from compromised Roundcube webmail servers belonging to government entities and think tanks in Europe.
Roundcube is a web-based IMAP email client, whose most popular feature is the pervasive use of Ajax technology. The product is free and open source, subject to the terms of the GNU General Public License (except for skins and plugins). It was initially released in 2008, 16 years ago.