The US security agency CISA has added another Roundcube flaw to its known exploited vulnerabilities (KEV) catalog, urging government agencies and other entities to address it as soon as possible.
The security hole, tracked as CVE-2023-43770, was patched by the developers of the open source webmail solution in September 2023. The issue has been described as a persistent cross-site scripting (XSS) issue that can be exploited for arbitrary code execution in the context of the victim’s browser.
The vulnerability can be exploited by sending specially crafted emails to Roundcube users that have yet to install the patch. A proof-of-concept (PoC) exploit and a technical description of the vulnerability have been publicly available for months.
Attackers can, in theory, exploit the vulnerability to steal user credentials and other data, hijack sessions, and conduct phishing attacks.
There does not appear to be any public information on the attacks exploiting CVE-2023-43770, but CISA’s entry in the KEV catalog indicates it has not been involved in ransomware attacks.
Compromising Roundcube email servers can be highly useful for cyberespionage operations.
Last year, CISA added four Roundcube vulnerabilities to its KEV catalog, all of them believed to have been exploited by Russian threat actors, including the ones known as APT28 and Winter Vivern.
The Shodan and Censys search engines show tens of thousands of internet-exposed Roundcube servers, but it’s unclear how many of them are still impacted by CVE-2023-43770.
Related: Critical Apache ActiveMQ Vulnerability Exploited to Deliver Ransomware
Related: Zimbra Zero-Day Exploited to Hack Government Emails
Related: CISA Warns of Apache Superset Vulnerability Exploitation