What if you have software with a vulnerability that will not be patched? What does this mean?
RCE means Remote Code Execution which means the attacker does not have to be on the system to exploit it (this is the most dangerous attack).
If you are running Horde webmail to check your email – then it is time to stop. the developers of Horde are not updating the software anymore. from the Horde maintainers web site: https://www.horde.org/apps/webmail/docs/RELEASE_NOTES
The Horde Team is pleased to announce the final release of the Horde Groupware
Webmail Edition version 5.2.22.
Horde Groupware Webmail Edition is a free, enterprise ready, browser based
communication suite. Users can read, send and organize email messages with four
different webmail interfaces and manage and share calendars, contacts, tasks,
notes, files, and bookmarks with the standards compliant components from the
This announcement unfortunately means you can no longer use this software as it has an RCE bug which means if you use Horde you will be hacked (eventually).
Some are referring this issue as Abandonware.
The programmers did this open source project without getting paid for it (unless someone voluntarily gave money, so it eventually died out.
For open source software to work it has to have a large following and some momentum behind it. Otherwise this kind of thing happens. Not all programmers love the program so much to do it for free forever. Especially if there is a security bug that might take a while to fix (not that I know why Horde developers did this?).
The only indication we have is from the portswigger article
Horde Webmail contains zero-day RCE bug with no patch on the horizon
And the relevant sentence:
A patch for the remote code execution (RCE) vulnerability in the open source platform may never surface given that the current version, which contains the flaw, has been flagged by the maintainers as the final release.
Sonar researchers have therefore advised users to abandon Horde Webmail.
Thus if you are using Horde Webmail even in the Cpanel or inside other software you have to abandon it. uninstall and use something else.