The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about a vulnerability in Roundcube Webmail that is being actively exploited by attackers. This flaw in the popular webmail client puts organizations at a high risk of compromise. Immediate action is necessary to address the vulnerability and protect affected systems.
Zscaler researcher Niraj Shivtarka recently discovered the vulnerability with a CVSS score of 6.1. Roundcube is a PHP-based IMAP email client that operates in a web-based environment and is compatible with various web servers and databases.
The vulnerability could expose sensitive information through malicious link references in plain text communications. It affects Roundcube versions prior to 1.4.14, 1.5.x versions before 1.5.4, and 1.6.x versions before 1.6.3. The issue has been resolved in version 1.6.3, released on September 15, 2023.
CISA has added the vulnerability (CVE-2023-43770) to its list of known exploited vulnerabilities. Vendors are advised to implement mitigations or stop using the affected product.
A recent report from Shodan, the search engine for internet-connected devices, shows that there are over 132,000 publicly available Roundcube servers on the internet. Proper precautions and security measures should be in place to prevent potential security risks.
The stable version of Roundcube Webmail 1.6.3 is now available, and it is recommended that all installations of Roundcube 1.6.x be updated. Debian ten buster version 1.3.17+dfsg.1-1~deb10u3 has fixed a previously identified problem, so users should upgrade their Roundcube packages.
For the latest cybersecurity news, whitepapers, and infographics, follow us on LinkedIn and Twitter.
