Security News > 2023 > October > Roundcube webmail zero-day exploited to spy on government entities (CVE-2023-5631)

Roundcube webmail zero-day exploited to spy on government entities (CVE-2023-5631)
2023-10-25 11:44

The Winter Vivern APT group has been exploiting a zero-day vulnerability in Roundcube webmail servers to spy on email communications of European governmental entities and a think tank, according to ESET researchers.

Roundcube is an open-source browser-based email client with application-like user interface.

In the final stage of the attack, the attackers loaded another JavaScript payload that lists folders and emails in the current Roundcube account and exfiltrate email messages to the attackers' C2 server.

"Winter Vivern has stepped up its operations by using a zero-day vulnerability in Roundcube. Previously, it was using known vulnerabilities in Roundcube and Zimbra , for which proofs of concept are available online," ESET researchers said.

CVE-2023-5631 has been reported to the Roundcube team separately by Matthieu Faou and Denys Klymenko, and has been patched a few days after.

It affects Roundcube versions 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15.


News URL

https://www.helpnetsecurity.com/2023/10/25/roundcube-webmail-zero-day-exploited-to-spy-on-government-entities-cve-2023-5631/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-10-18 CVE-2023-5631 Cross-site Scripting vulnerability in multiple products
Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior.
network
low complexity
roundcube debian fedoraproject CWE-79
5.4

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Roundcube 3 0 27 12 5 44