Connect with us

Hi, what are you looking for?


Email Security

CISA Warns of Roundcube Webmail Vulnerability Exploitation

CISA has added the Roundcube flaw tracked as CVE-2023-43770 to its known exploited vulnerabilities catalog.

CISA known exploited vulnerabilites

The US security agency CISA has added another Roundcube flaw to its known exploited vulnerabilities (KEV) catalog, urging government agencies and other entities to address it as soon as possible. 

The security hole, tracked as CVE-2023-43770, was patched by the developers of the open source webmail solution in September 2023. The issue has been described as a persistent cross-site scripting (XSS) issue that can be exploited for arbitrary code execution in the context of the victim’s browser. 

The vulnerability can be exploited by sending specially crafted emails to Roundcube users that have yet to install the patch. A proof-of-concept (PoC) exploit and a technical description of the vulnerability have been publicly available for months. 

Attackers can, in theory, exploit the vulnerability to steal user credentials and other data, hijack sessions, and conduct phishing attacks. 

There does not appear to be any public information on the attacks exploiting CVE-2023-43770, but CISA’s entry in the KEV catalog indicates it has not been involved in ransomware attacks. 

Compromising Roundcube email servers can be highly useful for cyberespionage operations. 

Last year, CISA added four Roundcube vulnerabilities to its KEV catalog, all of them believed to have been exploited by Russian threat actors, including the ones known as APT28 and Winter Vivern.

The Shodan and Censys search engines show tens of thousands of internet-exposed Roundcube servers, but it’s unclear how many of them are still impacted by CVE-2023-43770.

Advertisement. Scroll to continue reading.

Related: Critical Apache ActiveMQ Vulnerability Exploited to Deliver Ransomware

Related: Zimbra Zero-Day Exploited to Hack Government Emails

Related: CISA Warns of Apache Superset Vulnerability Exploitation

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.