CISA warns of actively exploited flaw in Roundcube Webmail (CVE-2023-43770)

The Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm on a significant ‘actively exploited’ flaw in Roundcube Webmail (CVE-2023-43770). This vulnerability could permit attackers to execute malicious code directly in your webmail client, presenting a substantial risk to both private and government organizations.


At the core of this alarm is CVE-2023-43770, a flaw with a CVSS score of 6.1, indicative of its moderate severity yet significant impact. This vulnerability allows for Cross-Site Scripting (XSS) attacks through seemingly innocuous text/plain email messages containing crafted links. The culprit behind this vulnerability is a specific behavior in the program/lib/Roundcube/rcube_string_replacer.php file. Versions of Roundcube before 1.4.14, as well as 1.5.x before 1.5.4 and 1.6.x before 1.6.3, are at risk, exposing an untold number of systems to potential compromise.

With the deadline set for March 4, 2024, U.S. federal agencies find themselves racing against time to audit their systems for exposure to CVE-2023-43770 and to implement the necessary security updates or mitigations. This directive, however, extends beyond the realm of federal responsibility. The global private sector is equally advised to heed this warning and prioritize the security of their systems against this flaw.

This isn’t the first time Roundcube Webmail has found itself in the eye of a cybersecurity storm. The platform has been a favored target for hackers, with its vulnerabilities being exploited in numerous incidents over the years. Notably, the Winter Vivern Russian hacking group has leveraged a zero-day vulnerability in Roundcube in its operations against European government entities and think tanks since at least October 11, 2023.

In response to the identified threat, the Roundcube development team has taken swift action, releasing security updates aimed at patching the Stored Cross-Site Scripting (XSS) vulnerability (CVE-2023-5631) reported by ESET researchers on October 16, 2023.