Patch your RoundCube and Docker installs — plus NGINX finally handles its own certs

Bare Metal Digest — Issue #2

Mar 08, 2026

A mixed bag this week. On the security front, RoundCube webmail is being actively exploited and deserves your immediate attention if you self-host email. On the good news side, NGINX just shipped native Let's Encrypt support, and there's a useful roundup of Let's Encrypt infrastructure changes worth understanding if you rely on it for TLS — which most of you do.

🔴 RoundCube Webmail is Being Actively Exploited Right Now

CISA added two RoundCube vulnerabilities to its Known Exploited Vulnerabilities catalog this week, meaning attackers are already using these in the wild — not just in theory. CVE-2025-49113 is a deserialization flaw (where maliciously crafted data can trigger code execution), and CVE-2025-68461 is a cross-site scripting (XSS) issue that can be used to hijack sessions or steal credentials. If you're self-hosting email with RoundCube as your webmail interface, this is your top priority this week.

Does this affect you?

Run dpkg -l | grep roundcube (Debian/Ubuntu) or rpm -qa | grep roundcube (RHEL/Fedora) to check if it's installed
If you're running RoundCube, update it immediately via your package manager or directly from the RoundCube releases page
Check your RoundCube logs for unusual activity — look for unexpected logins or PHP errors that might indicate prior exploitation

🔴 Cisco SD-WAN Bugs Under Active Exploitation

Cisco has disclosed two new SD-WAN vulnerabilities that are actively being exploited right now. SD-WAN is Cisco's software-defined networking product used to manage and route traffic across distributed sites.

Does this affect you?

Skip this if you're not running Cisco SD-WAN infrastructure — it's an enterprise networking product
If you are running it, patch immediately and check Cisco's advisory for indicators of compromise

🟡 Weekly Linux Distro Security Updates — Docker and Kernel Worth Checking

The usual weekly patch wave landed across Debian, Fedora, Red Hat, SUSE, and Mageia. Most of it is routine, but two packages stand out for self-hosters: Docker and the Linux kernel. If you're running containers in production (and most of you are), a Docker security update is worth applying sooner rather than later. FreerDP patches are also included, relevant if you expose any remote desktop services.

Does this affect you?

Run your standard update command: apt update && apt upgrade (Debian/Ubuntu), dnf upgrade (Fedora/RHEL), or zypper update (SUSE)
Check specifically for Docker: apt-get install --only-upgrade docker.io docker-ce or equivalent
Kernel updates require a reboot — schedule it if uptime matters to you
Check uname -r before and after to confirm the kernel update applied

🟡 USR-W610 Industrial IoT Gateway Has Multiple Critical Holes

CISA flagged four critical vulnerabilities in the USR-W610, a small industrial WiFi gateway/serial-to-network device made by Jinan USR IOT. The flaws allow authentication bypass, denial-of-service attacks, and theft of admin credentials. These devices are sometimes used in home labs or small offices to bridge serial equipment to a network.

Does this affect you?

Check your hardware inventory for any USR-W610 devices (they're small DIN-rail or desktop units, often used for RS232/RS485 bridging)
If you have one running firmware 3.1.1.0 or earlier, check the manufacturer's site for a patch and make sure the admin interface isn't exposed to the public internet
If you can't patch immediately, isolate the device on a separate VLAN

🟢 NGINX Gets Native Let's Encrypt Support — No More Certbot Juggling

This is genuinely good news for a lot of you. NGINX now has built-in ACME support, meaning it can request, renew, and manage Let's Encrypt TLS certificates automatically without needing a separate tool like Certbot or acme.sh running alongside it. ACME (Automatic Certificate Management Environment) is the protocol Let's Encrypt uses to verify domain ownership and issue certificates. This simplifies setups considerably — fewer moving parts, fewer renewal cron jobs to babysit.

Does this affect you?

Relevant if you run NGINX directly (not via Coolify, Caddy, or Traefik, which already handle this)
Check your NGINX version: nginx -v — you'll need a recent enough build to have this feature; check the linked post for the minimum version
Caddy users: you already have this; nothing to change
Worth evaluating if you've been running Certbot as a separate process — consolidating is cleaner

🟢 Let's Encrypt Infrastructure Roundup: What's Changed and What It Means For You

Several Let's Encrypt updates landed in our feed this week covering infrastructure changes over the past couple of years. Rather than hit you with five separate items, here's a consolidated summary of what's changed and what you need to know:

OCSP is dead — CRLs took over. OCSP (Online Certificate Status Protocol) was the old way browsers checked if a certificate had been revoked. Let's Encrypt shut it down because OCSP had a privacy problem: every time someone visited your site, their browser phoned home to Let's Encrypt to check your cert. CRLs (Certificate Revocation Lists) are the replacement — browsers download a list in bulk instead, which is both more private and more efficient. If you had anything explicitly configured to use Let's Encrypt's OCSP endpoint, it's gone now.

Short-lived (6-day) certificates are now available. Let's Encrypt now offers certificates that expire after just 160 hours (~6 days). The security benefit is that a compromised or misisssued cert becomes useless in under a week without needing revocation. The catch: your renewal automation needs to be rock-solid, since there's no room for a missed renewal. Not recommended unless you're confident in your automation.

IP address certificates are now available. You can now get a Let's Encrypt cert for a bare IP address, not just a domain name. Useful for internal services or APIs that are accessed by IP.

ARI (ACME Renewal Information) is in production. This is a protocol extension that lets Let's Encrypt tell your ACME client when to renew — which matters a lot if a cert gets revoked unexpectedly. Check whether your ACME client (Certbot, acme.sh, Caddy, etc.) supports ARI; most modern versions do.

Chain of trust cleanup is done. The old DST Root CA X3 cross-signature that caused the famous October 2021 outage on older Android/OpenSSL devices is fully retired. If you're still seeing cert trust errors on very old clients, the cross-sign won't save you — you need a different solution.

Does this affect you?

OCSP: If you have ssl_stapling configured in NGINX pointing to Let's Encrypt's OCSP, remove or update that config — grep -r "ocsp" /etc/nginx/ to check
Short-lived certs: Opt-in only, no action needed unless you want them
IP certs: Opt-in only; request one via your ACME client as you would a domain cert
ARI: Run certbot --version or check your ACME client's changelog to confirm ARI support
Chain changes: Run openssl s_client -connect yourdomain.com:443 -showcerts and verify the chain looks clean with no reference to DST Root CA X3

OCSP end of life → | Short-lived & IP certs → | ARI explained → | Chain shortening →

🟢 Bonus: Add a CAA Record to Lock Down Who Can Issue Certs for Your Domain

Less urgent, but worth doing on a quiet afternoon. A CAA (Certificate Authority Authorization) DNS record tells the world which certificate authorities are allowed to issue certs for your domain. If you only use Let's Encrypt, a CAA record prevents any other CA from issuing a cert for your domain — a useful safeguard against misissuance or account compromise at another CA.

Does this affect you?

Worth doing for any domain you care about — takes about 5 minutes in your DNS provider's dashboard
Add a record like: yourdomain.com. CAA 0 issue "letsencrypt.org"
Check if you already have one: dig CAA yourdomain.com or use your DNS provider's interface
If you use multiple CAs (e.g. Let's Encrypt for some things, ZeroSSL for others), add a CAA entry for each

Bare Metal Digest

Discussion about this post

Ready for more?