Roundcube email server bug now exploited in attacks

CISA warns that a Roundcube email server vulnerability patched in September is now actively exploited in cross-site scripting (XSS) attacks.

The security flaw (CVE-2023-43770) is a persistent cross-site scripting (XSS) bug that lets attackers access restricted information via plain/text messages maliciously crafted links in low-complexity attacks requiring user interaction.

The vulnerability impacts Roundcube email servers running versions newer than 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3.

“We strongly recommend to update all productive installations of Roundcube 1.6.x with this new version,” the Roundcube security team said when it released CVE-2023-43770 security updates five months ago.

While it didn’t provide any details on the attacks, CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog, cautioning that such security flaws are “frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”

CISA also ordered U.S. Federal Civilian Executive Branch (FCEB) agencies to secure Roundcube webmail servers against this security bug within three weeks, by March 4, as mandated by a binding operational directive (BOD 22-01) issued in November 2021.

Although the primary focus of the KEV catalog is to alert federal agencies about vulnerabilities that need to be patched as soon as possible, private organizations worldwide are also highly advised to prioritize addressing this flaw. 

Shodan is currently tracking over 132,000 Roundcube servers accessible on the internet. However, no information is available on how many are vulnerable to ongoing attacks using CVE-2023-43770 exploits.

​Another Roundcube flaw, a stored cross-site scripting (XSS) vulnerability tracked as CVE-2023-5631, was targeted as a zero-day by the Winter Vivern (aka TA473) Russian hacking group since at least October 11.

The attackers used HTML email messages containing carefully crafted malicious SVG documents designed to inject arbitrary JavaScript code remotely.

The JavaScript payload dropped in the October attacks allowed the Russian hackers to steal emails from compromised Roundcube webmail servers belonging to government entities and think tanks in Europe.

Winter Vivern operators also exploited the CVE-2020-35730 Roundcube XSS vulnerability between August and September 2023.

The same bug was used by the Russian APT28 cyber-espionage group, part of Russia’s General Staff Main Intelligence Directorate (GRU), to breach Roundcube email servers belonging to the Ukrainian government.

Winter Vivern hackers also exploited the Zimbra CVE-2022-27926 XSS vulnerability in early-2023 to target NATO countries and steal emails belonging to NATO governments, officials, and military personnel.