A vulnerability in the Roundcube email server platform is being actively exploited, the US government warns, urging its agencies to patch and secure their instances as soon as possible.
In a security advisory, the Cybersecurity and Infrastructure Security Agency (CISA) said that a persistent cross-site scripting (XSS) bug is being actively exploited. The bug, tracked as CVE-2023-43770, is abused via custom links and plain text messages.
The flaw affects versions of Roundcube email servers between 1.4.14 and 1.5.4 and versions between 1.6.0 and 1.6.3. The patch was released about half a year ago. CISA also said that US Federal Civil Executive Branch (FCEB) agencies have until March 4 to patch the vulnerability and protect their endpoints.
The private sector is also at risk
While CISA focuses solely on government agencies, that doesn't mean private sector organizations aren't at risk as well.
TO beepcomputer The report says that there are currently more than 130,000 Roundcube servers on the Internet. It is not known how many of these are vulnerable to the cross-site scripting vulnerability.
The same post also claims that there was a similar flaw in Roundcube (cross-site scripting), tracked as CVE-2023-5631. This was abused, as day zero, by a Russian threat actor known as Winter Vivern. The campaign apparently began on October 11 last year and resulted in hackers stealing emails from compromised Roundcube webmail servers belonging to government entities and think tanks in Europe.
Roundcube is a web-based IMAP email client, whose most popular feature is the widespread use of Ajax technology. The product is free and open source, subject to the terms of the GNU General Public License (except skins and plugins). It was initially released in 2008, 16 years ago.