CVE-2017-16651

What Is Roundcube Webmail?

Roundcube is the most widely deployed open-source webmail client, used by thousands of ISPs, universities, corporations, and government agencies as the front end for IMAP email access. Roundcube runs as a PHP web application on the mail server, and its file attachment handling plugin directly accesses the server filesystem to manage file uploads and attachment preparation. As an authenticated interface to email — often containing sensitive correspondence, credentials, and confidential documents — Roundcube webmail servers are high-value targets for espionage and credential theft campaigns.

Overview

CVE-2017-16651 is a file disclosure vulnerability in Roundcube Webmail caused by insufficient input validation in the file attachment plugin used by default. An authenticated attacker — any user with a Roundcube login — can manipulate attachment-related requests to read arbitrary files from the webmail server's filesystem, including sensitive configuration files containing database credentials, IMAP passwords, and SMTP credentials. Fixed in Roundcube 1.3.3, 1.2.7, and 1.1.10 (November 2017). CISA added CVE-2017-16651 to the KEV catalog in November 2021 reflecting active exploitation against mail servers.

Affected Versions

Note: The CVSS vector uses AV:L (Local) reflecting that the attacker must be a low-privileged authenticated Roundcube user; the vulnerability does not require physical access but requires valid webmail credentials.

Technical Details

Root Cause: Insufficient Input Validation in File Attachment Plugin

CVE-2017-16651 is a file disclosure vulnerability (CWE-552) in Roundcube's file attachment plugin, which is enabled by default. The plugin handles the storage and retrieval of email attachment data on the server filesystem. The vulnerability arises from insufficient validation of user-controlled path or filename parameters passed to attachment handling functions — the plugin does not adequately sanitize input to prevent path traversal or direct file access outside the intended attachment directory.

Attack flow:

1. Attacker authenticates to Roundcube with any valid webmail account
2. Attacker sends a crafted request to the attachment handler with a manipulated path pointing to sensitive server files
3. The attachment plugin reads and returns the content of the targeted file
4. Attacker obtains contents of arbitrary server files

High-value targets on a typical Roundcube server:

• config/config.inc.php — contains database credentials (MySQL/PostgreSQL passwords), IMAP server credentials, DES key for session encryption
• /etc/passwd, /etc/shadow — system user information
• IMAP server configuration files with plaintext credentials
• SSL certificate private keys
• Postfix/Dovecot configuration files with internal server details

Attack Characteristics

Discovery

Discovered and reported to the Roundcube project; patched in the November 2017 security release across all three supported branches simultaneously.

Exploitation Context

• Mail server credential harvesting: A Roundcube server's configuration file typically contains database credentials and IMAP server passwords in plaintext; reading config/config.inc.php gives an attacker credentials to access the underlying mail database directly, modify email, and potentially pivot to other systems using reused passwords
• Nation-state and espionage targeting: Roundcube has been specifically targeted by APT28 (Fancy Bear/GRU) and other nation-state actors in campaigns against government, military, and political organizations — attacks against Roundcube instances are consistent with email intelligence collection missions
• Low authentication barrier: Unlike unauthenticated vulnerabilities, CVE-2017-16651 requires a valid Roundcube account; however, many mail servers allow self-registration or have accounts with weak passwords, and spear phishing combined with credential stuffing is used to gain initial Roundcube access
• CISA KEV (2021): Added November 3, 2021 as part of a broad KEV catalog expansion reflecting confirmed exploitation against government and critical infrastructure mail servers

Remediation

1. Upgrade Roundcube — update to Roundcube 1.3.3+, 1.2.7+, or 1.1.10+ to patch CVE-2017-16651. Current Roundcube versions (1.6.x) are significantly newer and address many subsequent vulnerabilities; prioritize upgrading to the latest stable release.

2. Rotate all credentials stored in Roundcube configuration — if CVE-2017-16651 may have been exploited, immediately rotate the Roundcube database password, any SMTP relay credentials, and the DES/AES session key in config/config.inc.php; assume these were read by the attacker.

3. Restrict Roundcube filesystem permissions — ensure the web server process cannot read sensitive system files outside the Roundcube application directory; use PHP open_basedir restrictions to confine file access to the Roundcube root.

4. Enable two-factor authentication — where supported by your Roundcube deployment, enable 2FA to raise the bar for initial account access that CVE-2017-16651 requires.

5. Monitor Roundcube access logs — look for unusual attachment-related requests, especially requests referencing paths outside the expected attachment storage directory; these indicate exploitation attempts or active exploitation.