Exploited Roundcube Webmail Flaw Poses Threat to CIS Government Emails

Published on October 22, 2024
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

Hackers have been actively exploiting a vulnerability in the Roundcube Webmail client, targeting government organizations across the Commonwealth of Independent States (CIS). The exploitation leverages a medium-severity stored XSS (cross-site scripting) vulnerability that has been active since June. 

Discovered by cybersecurity firm Positive Technologies in September, this vulnerability, identified as CVE-2024-37383, allows threat actors to execute malicious JavaScript code when unsuspecting users open specifically crafted emails.

Roundcube Webmail, a popular open-source solution among commercial and governmental entities, has been under attack due to improper processing of SVG elements in emails. This flaw circumvents syntax checks, enabling malicious code to run on user pages.

The attacks involve emails that appear empty but contain a .DOC attachment. Crucially, hidden within the code is a base64-encoded JavaScript payload disguised as an "href" value. 

Source: Positive Technologies

This payload not only prompts the download of a decoy document but also injects an unauthorized login form to steal users' credentials, which are then transmitted to a remote server hosted on Cloudflare infrastructure.

To exacerbate the situation, attackers have been using the ManageSieve plugin to exfiltrate messages, further compromising affected systems. Vulnerable Roundcube versions include those earlier than 1.5.6 and versions 1.6 to 1.6.6. System administrators are advised to update to versions 1.5.7, 1.6.7, or the latest 1.6.9 as a precautionary measure.

This isn't the first time Roundcube has been targeted. Earlier in the year, CISA alerted organizations about CVE-2023-43770, another XSS vulnerability in Roundcube. 

Additionally, in October 2023, a zero-day XSS flaw tracked as CVE-2023-5631 was exploited by Russian hackers known as 'Winter Vivern' against European government entities and think tanks. 

In August, the Russian government and IT organizations were targeted by a new spear-phishing campaign that security researchers call EastWind. The campaign delivered an updated version of CloudSorcerer, novel PlugY backdoors, and the GrewApacha trojan.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: