Security News > 2023 > October > New Cyberattack From Winter Vivern Exploits a Zero-Day Vulnerability in Roundcube Webmail
ESET researcher Matthieu Faou has exposed a new cyberattack from a cyberespionage threat actor known as Winter Vivern, whose interests align with Russia and Belarus.
The attack focuses on exploiting a zero-day vulnerability in Roundcube webmail, with the result being the ability to list folders and emails in Roundcube accounts and exfiltrate full emails to an attacker-controlled server.
This threat actor has a history of exploiting webmail software, as it already abused older Roundcube vulnerabilities and known Zimbra webmail vulnerabilities to target elected officials and staffers in the U.S. as well as experts in European politics and economics.
Winter Vivern uses vulnerability scanners such as Acunetix probably to scan targeted networks.
ESET noted that Winter Vivern has been observed exploiting CVE-2020-35730, which is a known Roundcube vulnerability against entities that are also targeted by threat actor APT28, which has been described as the military unit 26165 of Russia's Military Intelligence Agency, previously known as GRU. In addition, ESET pointed out a possible link to threat actor MoustachedBouncer, who runs attacks against foreign diplomats in Belarus.
ESET reported the CVE-2023-5631 vulnerability to Roundcube on Oct. 12, 2023; Roundcube patched it on Oct. 14, 2023 and released security updates to address the vulnerability on Oct. 16, 2023 for versions 1.6.4, 1.4.15 and 1.5.5.
News URL
https://www.techrepublic.com/article/winter-vivern-exploits-zero-day-roundcube-webmail/
Related news
- New Mirai botnet targets industrial routers with zero-day exploits (source)
- Mirai Botnet Variant Exploits Four-Faith Router Vulnerability for DDoS Attacks (source)
- Zero-day exploits plague Ivanti Connect Secure appliances for second year running (source)
- Zero-Day Vulnerability in Ivanti VPN (source)
- Nominet probes network intrusion linked to Ivanti zero-day exploit (source)
- Hackers Exploit Aviatrix Controller Vulnerability to Deploy Backdoors and Crypto Miners (source)
- Hackers Exploit Zero-Day in cnPilot Routers to Deploy AIRASHI DDoS Botnet (source)
- Hackers exploit 16 zero-days on first day of Pwn2Own Automotive 2025 (source)
- Apple zero-day vulnerability exploited to target iPhone users (CVE-2025-24085) (source)
- Russian cybercrooks exploiting 7-Zip zero-day vulnerability (CVE-2025-0411) (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-10-18 | CVE-2023-5631 | Cross-site Scripting vulnerability in multiple products Roundcube before 1.4.15, 1.5.x before 1.5.5, and 1.6.x before 1.6.4 allows stored XSS via an HTML e-mail message with a crafted SVG document because of program/lib/Roundcube/rcube_washtml.php behavior. | 5.4 |
| 2020-12-28 | CVE-2020-35730 | Cross-site Scripting vulnerability in multiple products An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16, and 1.4.x before 1.4.10. | 6.1 |