Roundcube Webmail Hits Critical Update: New Security Fixes Target Hidden Vulnerabilities
Ddos 
Roundcube Webmail has released a high-priority security update, version 1.6.14, aimed at patching several significant vulnerabilities that could put user data and server integrity at risk. This stable-branch update follows reports from various security researchers who identified creative ways for attackers to bypass existing defenses.
Perhaps the most alarming fix in this release involves a pre-authentication arbitrary file write vulnerability. This flaw was found in the Redis and Memcache session handlers and stems from unsafe deserialization.
In plain English, an attacker could potentially write malicious files to the server before even logging in, which is often a stepping stone to achieving full remote code execution (RCE).
Roundcube users rely on “remote image blocking” to prevent attackers from knowing when an email has been opened. However, researchers discovered several clever ways to sneak past this protection:
- SVG Animation: Attackers could use various SVG animate attributes to trigger remote image loads.
- Crafted Body Backgrounds: A specifically designed body background attribute could also bypass the block.
Beyond server-level threats, version 1.6.14 addresses flaws that directly impact user account security and privacy:
- Password Change Flaw: A bug was fixed where a user’s password could be changed without providing the old password, a massive gift for an attacker who has gained temporary session access.
- IMAP Injection & CSRF: The update patches an IMAP Injection and CSRF bypass within the mail search function.
- HTML Attachment XSS: A vulnerability that allowed Cross-Site Scripting (XSS) through HTML attachment previews has been closed.
- SSRF & Information Disclosure: A fix was implemented for a flaw involving stylesheet links that could leak information about local network hosts.
Roundcube has become a recurring target for advanced persistent threat (APT) groups. Most notably, the Russia-linked group Winter Vivern (also known as TA473) was caught exploiting a zero-day vulnerability (CVE-2023-5631) to spy on European governments and think tanks.
The notorious APT28 (Fancy Bear), tied to Russiaβs GRU, has also systematically targeted Roundcube. In a campaign dubbed “Operation RoundPress,” these hackers used XSS flaws to compromise the Ukrainian government and defense firms. Their toolkit is specifically designed for Roundcube, featuring modules for bulk email theft and even bypassing two-factor authentication (2FA).
Upgrading to Roundcube 1.6.14 is the most effective way to ensure these creative exploits don’t find a home on your server.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
