Roundcube, a widely adopted open-source webmail application, is included by default in the popular cPanel web hosting control panel, leading to millions of installations worldwide.
The software is commonly used by universities and government agencies, making the email accounts of public sector employees a valuable target for Advanced Persistent Threat (APT) groups engaged in espionage.
Cybersecurity researchers at Sonar Source recently discovered a critical XSS vulnerability in Roundcube (1.6.7 is vulnerable to CVE-2024-42009, while 1.5.7 and below are vulnerable to CVE-2024-42008) that enables threat actors to execute arbitrary code.
XSS Vulnerability In Roundcube
In 2023, ESET Research and Insikt Group documented attack campaigns by the Winter Vivern APT targeting Roundcube servers used by the Ukrainian military, Georgian Defense Ministry, and other European entities.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
These attacks successfully exploited a Cross-Site Scripting (XSS) zero-day vulnerability in Roundcube to steal emails and passwords from victims who viewed a malicious email.
The CVE-2024-42009 vulnerability is considered critical, as it can be exploited without any user interaction beyond simply viewing a malicious email in Roundcube.
The slightly less severe CVE-2024-42008 requires a single click from the victim, though the attacker can make this interaction inconspicuous.
These vulnerabilities pose a significant risk, as they can allow attackers to gain a persistent foothold in the victim’s browser, enabling them to continuously exfiltrate emails or steal the victim’s password the next time it is entered.
These vulnerabilities are major threats as they can be used by attackers to persistently gain control of the victim’s browser and continue exfiltrating emails or even steal their passwords when entered next time.
This has made Roundcube a major target for APT groups involved in espionage, such as those that targeted the Ukrainian military and Georgian Defense Ministry in 2023.
Consequently, exposing government and university email accounts that are usually hosted on them.
However, besides this, threat actors like the Winter Vivern APT group have already demonstrated their capability to discover and leverage similar XSS weaknesses in Roundcube.
Patch details regarding these vulnerabilities are not being openly released yet, as it’s might be possible for the determined adversaries like Winter Vivern APT group to discover any similar flaws independently.
To secure against this threat, Roundcube administrators should make sure they update their installations with patched versions 1.6.8 or 1.5.8 immediately.
Users who think they may have been affected should also change their email passwords and clear site data associated with the use of the Roundcube instance.
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download