An unpatched security vulnerability was discovered in the Horde Webmail open-source software. The attackers could exploit the vulnerability to gain control of your system, allowing them to intercept sent and received messages, password reset links, impersonate employees, along with other attacks.

What is a webmail application?

A webmail application allows organizations to work through a centralized browser. Typically, users can log into their webmail account with the appropriate credentials, and the server acts as a proxy allowing authenticated users to email.

The treasure trove of data available in webmail servers naturally makes them a target for cybercriminals.

Scope of the problem and potential impact

The discovered vulnerability in the Horde webmail code allows criminals to add arbitrary code to the underlying server. The cybercriminals can then execute the attack by crafting a malicious email containing an attachment. When clicked, the attachment exploits the vulnerability without further interaction with the target.

The vulnerability lives in the default configuration of Horde, and the victim may not know of the occurrence.

Another exploitable aspect of the vulnerability is that the clear-text credentials of the victim are leaked to the attacker. The attacker could then use those credentials to gain access to more services of your organization.

No official patch available, but secure email services could help

There are no solutions for Horde webmail that are available to users at this time. So, it’s recommended that Horde webmail users either disable the bugged feature or switch to an alternative secure email services provider that offers a webmail application.

Whether you are communicating with someone within your network or an outside vendor, using a secure email service provider will keep your email account and the content of your emails safe.

Typically, secure email services include the implementation of end-to-end encryption, two-factor authentication (2FA), and other helpful protective features like pattern recognition and detection.

Two-factor authentication 

While there is no way to keep cybercriminals away all the time, you can make it harder for them to succeed in getting their hands on your data. 2FA adds an extra layer of protection on top of passwords for your employees and your business.

If a password may be compromised, it is not likely that the other authentication factors will be.


Encrypted email is the process of scrambling the content of your email messages to protect them from being read by unwanted or malicious parties.

Sensitive information is sent through email all the time, making it the holy grail for those looking to profit off cybercrime– personal information like social security numbers, passwords, login information, and bank account numbers. These pieces of information are generally dangerous to send via email, particularly in an email that is not encrypted.

End-to-end encryption means that only authorized parties can access confidential information.

Final thoughts 

Since there are no solutions for the Horde webmail bug, you may want to shop around for centralized, secure email services that can work for you.