Hackers target Roundcube webmail application vulnerability, compromise EU govt servers

published: Oct. 25, 2023

Take action: An example of relatively low severity score vulnerability that's actively exploited. The fact that a vulnerability is not remotely exploitable doesn't mean that hackers won't find a way to exploit it - this time by packaging the exploit in an e-mail message and persuading a person close to the system run the exploit for them.

Learn More

A hacking group known as Winter Vivern has been actively targeting European government entities and think tanks since at least October 11th. They have been exploiting a zero-day vulnerability in Roundcube Webmail, a widely used webmail software, to carry out their cyberattacks.

The vulnerability, tracked as CVE-2023-5631, was publlicly reported by ESET researchers on October 16th and was patched by the Roundcube development team. This vulnerability allowed the hackers to execute Stored Cross-Site Scripting (XSS) attacks, which involved injecting arbitrary JavaScript code into Roundcube email servers.

Winter Vivern attacked with HTML email messages containing carefully crafted SVG documents that, when viewed by the target, would automatically trigger the injection of malicious JavaScript code. These phishing messages impersonated the Outlook Team in an attempt to deceive victims into opening the malicious emails.

Upon successful exploitation of the Roundcube email server vulnerability, the hackers deployed a JavaScript payload, which enabled them to access and steal emails from compromised webmail servers. This payload allowed the malicious actors to list folders and emails in the victim's Roundcube account and exfiltrate email messages to a command and control (C&C) server under their control.

It is crucial for organizations using Roundcube as their webmail software to ensure they are running patched versions to protect against such attacks.

Hackers target Roundcube webmail application vulnerability, compromise EU govt servers