CISA: Roundcube email server bug now exploited in attacks

Trending 2 weeks ago


CISA warns that a Roundcube email server vulnerability patched successful September is now actively exploited successful cross-site scripting (XSS) attacks.

The information flaw (CVE-2023-43770) is simply a persistent cross-site scripting (XSS) bug that lets attackers entree restricted accusation via plain/text messages maliciously crafted links successful low-complexity attacks requiring personification interaction.

The vulnerability impacts Roundcube email servers moving versions newer than 1.4.14, 1.5.x earlier 1.5.4, and 1.6.x earlier 1.6.3.

"We powerfully urge to update each productive installations of Roundcube 1.6.x pinch this caller version," nan Roundcube information squad said erstwhile it released CVE-2023-43770 information updates 5 months ago.

While it didn't supply immoderate specifications connected nan attacks, CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog, cautioning that specified information flaws are "frequent onslaught vectors for malicious cyber actors and airs important risks to nan national enterprise."

CISA besides ordered U.S. Federal Civilian Executive Branch (FCEB) agencies to unafraid Roundcube webmail servers against this information bug wrong 3 weeks, by March 4, arsenic mandated by a binding operational directive (BOD 22-01) issued successful November 2021.

Although nan superior attraction of nan KEV catalog is to alert national agencies astir vulnerabilities that request to beryllium patched arsenic soon arsenic possible, backstage organizations worldwide are besides highly advised to prioritize addressing this flaw. 

Shodan is presently tracking over 132,000 Roundcube servers accessible connected nan internet. However, nary accusation is disposable connected really galore are susceptible to ongoing attacks utilizing CVE-2023-43770 exploits.

Internet-exposed Roundcube serversInternet-exposed Roundcube servers (Shodan)

​Another Roundcube flaw, a stored cross-site scripting (XSS) vulnerability tracked arsenic CVE-2023-5631, was targeted arsenic a zero-day by nan Winter Vivern (aka TA473) Russian hacking group since astatine slightest October 11.

The attackers utilized HTML email messages containing cautiously crafted malicious SVG documents designed to inject arbitrary JavaScript codification remotely.

The JavaScript payload dropped successful nan October attacks allowed nan Russian hackers to bargain emails from compromised Roundcube webmail servers belonging to authorities entities and deliberation tanks successful Europe.

Winter Vivern operators besides exploited nan CVE-2020-35730 Roundcube XSS vulnerability betwixt August and September 2023.

The aforesaid bug was utilized by the Russian APT28 cyber-espionage group, portion of Russia's General Staff Main Intelligence Directorate (GRU), to breach Roundcube email servers belonging to nan Ukrainian government.

Winter Vivern hackers also exploited nan Zimbra CVE-2022-27926 XSS vulnerability in early-2023 to target NATO countries and bargain emails belonging to NATO governments, officials, and subject personnel.