Alert: CISA Warns of Active ‘Roundcube’ Email Attacks

February 13, 2024NewsroomEmail Vulnerability / Security

Email Attacks

The US Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a medium-severity security flaw affecting Roundcube email software to Known Exploited Vulnerabilities (KEV SEARCHED) catalog, based on evidence of active exploitation.

The issue, tracked as CVE-2023-43770 (CVSS score: 6.1), related to a cross-site scripting (XSS) flaw originating from the handling of linkrefs in plain text messages.

“Roundcube Webmail contains a persistent cross-site scripting (XSS) vulnerability that can lead to information disclosure through malicious link references in plain/text messages,” CISA said.


According to a bug description in NIST’s National Vulnerability Database (NVD), the vulnerability affects versions of Roundcube before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before the 1.6.3.

The mistake is addressed by Roundcube maintainers with version 1.6.3which was released on September 15, 2023. Zscaler security researcher Niraj Shivtarkar is credited with discovering and reporting the vulnerability.

It is currently unknown how the vulnerability was exploited in the wild, but flaws in the web-based email client were weaponized by Russian-linked threat actors such as APT28 and Winter Vivern last year.

The agencies of the US Federal Civilian Executive Branch (FCEB) are directed to apply the fixes provided by the vendor by March 4, 2024, to secure their networks against potential threats.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment