Roundcube email flaw is being exploited, so patch now, US government warns

Sead Fadilpašić

February 13, 2024 at 1:12 PM·2 min read

A laptop showing lots of email notifications.

A vulnerability in the Roundcube email server platform is being actively exploited, the US government warns, urging its bodies to apply the patch and secure their instances sooner, rather than later.

In a security advisory, the Cybersecurity and Infrastructure Security Agency (CISA) said that a persistent cross-site scripting (XSS) bug is being actively exploited in the wild. The bug, tracked as CVE-2023-43770, is abused via a custom-built plain/text messages and links.

The flaw affects Roundcube email servers versions between 1.4.14 and 1.5.4 and versions between 1.6.0 and 1.6.3. The patch was released roughly half a year ago. CISA also said that U.S. Federal Civilian Executive Branch (FCEB) agencies have until March 4 to patch the vulnerability and secure their endpoints.

Private sector at risk, too

While CISA focuses solely on government agencies, that doesn’t mean private sector organizations aren’t at risk, too.

A BleepingComputer report says that there are currently more than 130,000 Roundcube servers on the internet right now. There’s no telling how many of these are vulnerable to the cross-site scripting vulnerability.

The same publication also states that there was a similar Roundcube flaw (cross-site scripting), tracked as CVE-2023-5631. This one was abused, as a zero-day, by a Russian threat actor known as Winter Vivern. The campaign apparently started on October 11 last year, and resulted in the hackers stealing emails from compromised Roundcube webmail servers belonging to government entities and think tanks in Europe.

Roundcube is a web-based IMAP email client, whose most popular feature is the pervasive use of Ajax technology. The product is free and open source, subject to the terms of the GNU General Public License (except for skins and plugins). It was initially released in 2008, 16 years ago.

More from TechRadar Pro

The US government has suffered a whole load of data breaches we never even knew about
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

Yahoo Sports
Formula 1: Miami Grand Prix sends cease and desist letter to prevent Donald Trump fundraiser during race
Race organizers say they'll revoke a Trump fundraiser's suite license if he holds an event for the former president on Sunday at the race.
12h ago
Yahoo Sports
2024 NFL Draft grades: Denver Broncos earn one of our lowest grades mostly due to one pick
Yahoo Sports' Charles McDonald breaks down the Broncos' 2024 draft.
1d ago
Yahoo Sports
Chiefs sign Travis Kelce to new contract that reportedly makes him highest-paid TE in NFL
Travis Kelce has reportedly gotten a raise.
4h ago
Yahoo Sports
NFL Draft: Packers fan upset with team's 1st pick, and Lions fans hilariously rubbed it in
Not everyone was thrilled with their team's draft on Thursday night.
4d ago
Yahoo Sports
NFL Draft grades for all 32 teams | Zero Blitz
Jason Fitz and Frank Schwab join forces to recap the draft in the best way they know how: letter grades! Fitz and Frank discuss all 32 teams division by division as they give a snapshot of how fans should be feeling heading into the 2024 season. The duo have key debates on the Dallas Cowboys, New York Giants, New Orleans Saints, Los Angeles Rams, New England Patriots, Las Vegas Raiders and more.
6h ago
Yahoo Sports
NFL Draft: Bears take Iowa punter, who immediately receives funny text from Caleb Williams
There haven't been many punters drafted in the fourth round or higher like Tory Taylor just was. Chicago's No. 1 overall pick welcomed him in unique fashion.
2d ago
Yahoo Sports
The expanded 12-team College Football Playoff is here — and it already has problems
There is cause for excitement around the new playoff format. There's also lots of complaints and criticism to go around.
14h ago
Yahoo Sports
Ryan Reynolds and Rob McElhenney, after Wrexham success, purchase stake in Liga MX’s Necaxa
Reynolds and McElhenney are the latest celebrities to invest in Necaxa in recent years.
5h ago
Yahoo Sports
Joel Embiid not happy that Knicks fans took over 76ers home playoff games: It 'pisses me off'
"I don't think that should happen. It's not OK."
1d ago
Autoblog
Rivian put out a feeler to test buyers' willingness to spend on a new R2
Members of the Rivian subreddit posted details of a survey they received, asking how much they'd be willing to spend on different R2 configurations.
13h ago
Yahoo Sports
Cowboys owner Jerry Jones compared his 2024 NFL Draft strategy to robbing a bank
Dallas Cowboys owner Jerry Jones made an amusing analogy when asked why the team selected three offensive lineman in the 2024 NFL Draft.
2d ago
Yahoo Sports
2024 NFL Draft grades: Kansas City Chiefs get even richer with one of the best hauls this year
Yahoo Sports' Charles McDonald breaks down the Chiefs' 2024 draft.
1d ago
Yahoo Finance
The stock market has a 'systemic problem'
Rising Treasury yields are once again a headwind for stocks. Strategists don't see relief coming unless Fed Chair Jerome Powell is surprisingly dovish in his press conference on Wednesday.
9h ago
Yahoo Sports
2024 NFL Draft grades: Baltimore Ravens do what they do best — let good players fall into their laps
Yahoo Sports' Charles McDonald breaks down the Ravens' 2024 draft.
2d ago
Yahoo Sports
Broncos, Jets, Lions and Texans have new uniforms. Let's rank them
Which new uniforms are winners this season?
6d ago
Yahoo Sports
2024 NFL Draft grades: Minnesota Vikings risked a lot to get J.J. McCarthy and Dallas Turner
Yahoo Sports' Charles McDonald breaks down the Vikings' 2024 draft.
1d ago
Yahoo Finance
Jamie Dimon is worried the US economy is headed back to the 1970s
JPMorgan's CEO is concerned the US economy could be in for a repeat of the stagflation that hampered the country during the 1970s.
6d ago
Yahoo Sports
NFL Draft fashion: Caleb Williams, Malik Nabers dressed to impress, but Marvin Harrison Jr.'s medallion stole the show
Every player was dressed to impress at the 2024 NFL Draft.
4d ago
Yahoo Sports
2024 NFL Draft grades: Los Angeles Chargers begin Jim Harbaugh's roster restock with very good class
Yahoo Sports' Charles McDonald breaks down the Chargers' 2024 draft.
1d ago
Yahoo Sports
NBA playoffs: Tyrese Hailburton game-winner and potential Damian Lillard Achilles injury leaves Bucks in nightmare
Tyrese Haliburton hit a floater with 1.1 seconds left in overtime to give the Indiana Pacers a 121–118 win over the Milwaukee Bucks. The Pacers lead their first-round playoff series two games to one.
3d ago

News

Life

Entertainment

Finance

Sports

New on Yahoo

Roundcube email flaw is being exploited, so patch now, US government warns

Private sector at risk, too

More from TechRadar Pro

Recommended Stories

Formula 1: Miami Grand Prix sends cease and desist letter to prevent Donald Trump fundraiser during race

2024 NFL Draft grades: Denver Broncos earn one of our lowest grades mostly due to one pick

Chiefs sign Travis Kelce to new contract that reportedly makes him highest-paid TE in NFL

NFL Draft: Packers fan upset with team's 1st pick, and Lions fans hilariously rubbed it in

NFL Draft grades for all 32 teams | Zero Blitz

NFL Draft: Bears take Iowa punter, who immediately receives funny text from Caleb Williams

The expanded 12-team College Football Playoff is here — and it already has problems

Ryan Reynolds and Rob McElhenney, after Wrexham success, purchase stake in Liga MX’s Necaxa

Joel Embiid not happy that Knicks fans took over 76ers home playoff games: It 'pisses me off'

Rivian put out a feeler to test buyers' willingness to spend on a new R2

Cowboys owner Jerry Jones compared his 2024 NFL Draft strategy to robbing a bank

2024 NFL Draft grades: Kansas City Chiefs get even richer with one of the best hauls this year

The stock market has a 'systemic problem'

2024 NFL Draft grades: Baltimore Ravens do what they do best — let good players fall into their laps

Broncos, Jets, Lions and Texans have new uniforms. Let's rank them

2024 NFL Draft grades: Minnesota Vikings risked a lot to get J.J. McCarthy and Dallas Turner

Jamie Dimon is worried the US economy is headed back to the 1970s

NFL Draft fashion: Caleb Williams, Malik Nabers dressed to impress, but Marvin Harrison Jr.'s medallion stole the show

2024 NFL Draft grades: Los Angeles Chargers begin Jim Harbaugh's roster restock with very good class

NBA playoffs: Tyrese Hailburton game-winner and potential Damian Lillard Achilles injury leaves Bucks in nightmare