CyberSecurity news
FlagThis - #roundcube
|
@blog.criminalip.io
//
A critical security vulnerability, CVE-2025-49113, has been identified in Roundcube webmail, a popular skinnable AJAX based webmail solution for IMAP servers. The flaw allows for remote code execution (RCE) through the exploitation of email subject lines. Attackers can inject malicious PHP code into the subject header field, which, when processed by Roundcube, allows them to execute arbitrary commands on the server. This vulnerability is particularly dangerous as it can be exploited without any user interaction, enabling attackers to compromise systems simply by sending a malicious email.
This vulnerability affects Roundcube versions up to 1.6.4. Security researchers confirmed that the flaw was actively exploited to install backdoors and exfiltrate system information. As of June 2025, the Shadowserver Foundation reported that over 84,925 Roundcube instances were exposed to this vulnerability. Criminal IP Asset Search has also identified tens of thousands of affected cases, highlighting the widespread nature of the threat. The vulnerability was patched in version 1.6.5. Ubuntu has released security notices (USN-7584-1) addressing the Roundcube vulnerability. It was discovered that Roundcube Webmail did not properly sanitize the _from parameter in a URL, leading to PHP Object Deserialization. A remote attacker could possibly use this issue to execute arbitrary code. The problem can be corrected by updating your system to the specified package versions for your Ubuntu release, which is available via standard system updates or Ubuntu Pro with ESM Apps. Given the severity and active exploitation of CVE-2025-49113, users are strongly advised to update their Roundcube installations immediately to the latest version.
Share:
References :
Classification:
Field Effect@Blog
//
A cyber espionage campaign dubbed "Operation RoundPress" has been attributed to the Russian state-sponsored hacking group APT28, also known as Fancy Bear, among other aliases. Security researchers at ESET have uncovered that this operation, active since 2023, targets high-value webmail servers by exploiting cross-site scripting (XSS) vulnerabilities. The primary objective is to steal confidential data from specific email accounts. The attackers have been observed targeting several webmail platforms.
In 2024, the scope of Operation RoundPress expanded beyond Roundcube, including webmail software such as Horde, MDaemon, and Zimbra. Specifically, the group exploited a zero-day XSS vulnerability, CVE-2024-11182, in MDaemon before a patch was available. The vulnerability was reported to the developers on November 1st, 2024, and subsequently patched in version 24.5.1. The exploitation involves injecting malicious JavaScript code into the victim's webmail page via spearphishing emails. The victims primarily consist of governmental entities and defense companies in Eastern Europe. However, governments in Africa, Europe, and South America have also been targeted. The injected JavaScript payloads, analyzed by ESET and named SpyPress, are designed to steal webmail credentials and exfiltrate contacts and email messages from the victim’s mailbox. In the case of MDaemon, the attackers were able to set up a bypass for two-factor authentication. ESET has made Indicators of Compromise (IOCs) available on their GitHub repository.
Share:
References :
Classification: |