CISA Warns of Exploited Roundcube Flaws

- The two vulnerabilities added to the KEV catalog are CVE-2023-43770, a persistent cross-site scripting (XSS) flaw, and CVE-2021-44026, an SQL injection vulnerability. The XSS flaw allows information disclosure through crafted malicious links in plain text messages, while the SQL injection can be exploited via the search parameters. - Nation-state actors, including the Russian GRU-linked group APT28 (also known as Fancy Bear) and Winter Vivern, have a history of exploiting Roundcube vulnerabilities to conduct espionage. These groups have targeted Ukrainian government and military entities, as well as other European organizations, to steal credentials, exfiltrate data, and spy on communications. - The exploitation method for the XSS vulnerability (CVE-2023-43770) involves sending an email with a specially crafted link. When a user on a vulnerable server views the email, the malicious script can execute, potentially leading to session hijacking, credential theft, and data exfiltration. - Exploitation of these flaws is not just theoretical; threat actors have been observed weaponizing new Roundcube vulnerabilities within 48 hours of their public disclosure. - One of the recently highlighted vulnerabilities had reportedly been present in the Roundcube codebase for over a decade before being discovered, affecting a vast number of installations. - The recommended mitigation is to immediately update Roundcube installations. Versions 1.4.14, 1.5.4, and 1.6.3 and later contain the fix for CVE-2023-43770. - Due to evidence of active exploitation, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies must patch these vulnerabilities by March 13, 2026, under Binding Operational Directive (BOD) 22-01.