CISA alert: vulnerability in Roundcube exploited by attackers

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory in relation to a vulnerability found in the popular web-based email client, Roundcube. This is specifically CVE-2023-43770, a flaw that was patched in September 2023 but has recently been exploited with live attacks. Roundcube is an open source IMAP client accessible via browser and features an application-like user interface.

Details about the vulnerability CVE-2023-43770

CVE-2023-43770 is a vulnerability that allows an attacker to conduct cross-site scripting (XSS) attacks using specially crafted links contained in plain text email messages. XSS attacks can lead to disclosure of sensitive information and affect versions 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3 of Roundcube. Note the presence of demonstrative exploit code for this vulnerability, which has been available online for many months.

Previous Roundcube exploits related to cyber-espionage

In previous incidents dating back to June 2023, the Recorded Future group and the Ukrainian CERT documented a spear-phishing campaign targeting several Ukrainian state institutions through emails that exploited an XSS flaw in Roundcube (CVE-2020-35730) and a SQL injection vulnerability (CVE-2021-44026), for exfiltration of data from the Roundcube database. In October of the same year, cybersecurity firm ESET reported the exploitation of another Roundcube XSS flaw as a zero-day by the APT Winter Vivern group, with government targets across Europe.

Roundcube security tips and updates

CISA emphasizes that vulnerabilities such as these represent an attack vector frequently exploited by malicious actors, generating significant risks. Failures found in Roundcube are regularly addressed and corrected by the software's maintainers, and organizations using it are advised to remain alert and promptly implement available security updates.