Roundcube CVE-2024-42009 and CVE-2025-49113 Exploited

Roundcube, a widely utilized open-source webmail client, is currently the focus of an active espionage campaign. A suspected China-aligned threat actor, tracked as UNK_MassTraction, is actively exploiting two distinct vulnerabilities: CVE-2024-42009 and CVE-2025-49113. This campaign targets university mail servers across the United States and Canada, with a particular emphasis on departments involved in sensitive research, such as physics and engineering.

The campaign, operational since May 2026, initiates with the exploitation of CVE-2024-42009, a cross-site scripting (XSS) vulnerability carrying a CVSS v3.1 Base Score of 6.1 (Medium). This client-side compromise facilitates subsequent exploitation of CVE-2025-49113, a critical deserialization vulnerability in Roundcube's Crypt_GPG component, rated with a CVSS v3.1 Base Score of 9.8 (Critical). This dual exploitation enables threat actors to achieve session theft, credential harvesting, persistent backdoors, and web shells.

This coordinated attack shows a strategic focus on high-value academic targets to acquire sensitive research and intellectual property. The multi-stage methodology employed by UNK_MassTraction necessitates a strong and layered defense strategy. Organizations must prioritize patching vulnerable Roundcube installations and implement enhanced monitoring to detect and mitigate the advanced persistent threats posed by this group.

What is the impact of the Roundcube vulnerabilities CVE-2024-42009 and CVE-2025-49113?

The exploitation of CVE-2024-42009 and CVE-2025-49113 by the UNK_MassTraction group poses a severe impact on targeted academic institutions. The primary risk revolves around the unauthorized acquisition of sensitive data, including research findings, intellectual property, confidential communications, and other sensitive data. Compromised mail servers provide a critical foothold for lateral movement into broader university networks.

Attackers gain access to the email accounts of administrators and professors, especially those in physics and engineering departments associated with national security interests, astrophysics, or particle physics studies. This access is then used for further internal phishing campaigns, allowing the threat actor to escalate privileges or expand their reach. The high severity of CVE-2025-49113, with its CVSS v3.1 Base Score of 9.8, shows the extensive control an attacker can achieve over the compromised server, potentially leading to full system compromise and data exfiltration.

The theft of credentials and session data via IceCube also enables attackers to impersonate legitimate users, further complicating detection and response. The deployment of web shells like SquareShell and fileless backdoors such as VShell establishes persistent access, allowing the threat actors to maintain a covert presence within the university environment for prolonged periods. This strategic targeting of the education sector for espionage aligns with observed patterns in other advanced persistent threats, as shown in our prior analysis of the ShinyHunters Oracle PeopleSoft zero-day which also targeted university systems.

How does the UNK_MassTraction group exploit these Roundcube vulnerabilities?

The exploitation chain employed by the UNK_MassTraction group is a sophisticated, multi-stage process using both client-side and server-side vulnerabilities within the Roundcube webmail environment. The attack commences with a targeted phishing email delivered to key personnel, such as administrators and professors. These emails are often challenging to discern as malicious, as they are sometimes sent from previously compromised accounts and domains.

The initial stage exploits CVE-2024-42009, a cross-site scripting (XSS) vulnerability. This flaw exists within Roundcube's HTML sanitization mechanism. When a specially crafted email is opened in a vulnerable Roundcube webmail client, an onanimationstart event within the HTML can trigger embedded JavaScript. This initial JavaScript, referred to by Proofpoint as IceCube, then loads an external JavaScript file from attacker-controlled infrastructure.

Once loaded, IceCube's primary function is to collect critical browser session data. This includes user credentials, active session cookies, and other pertinent browser session information. Comments embedded within the IceCube code suggest the possible use of large language models (LLMs) in its development. The gathered session data is then used to facilitate subsequent stages of the attack, often providing the necessary authentication for further system compromise.

Following the successful execution of IceCube and the theft of session data, the threat actors proceed to exploit CVE-2025-49113. This is a critical deserialization vulnerability found within the Roundcube's Crypt_GPG component. Successful exploitation of this vulnerability allows the UNK_MassTraction group to install SquareShell, a PHP-based web shell. This web shell is typically deployed in a plugin-like directory path to avoid immediate detection, and its timestamps are often altered to further obscure its presence and origin.

The operators also deploy VShell, a backdoor written in Go. VShell is notable for its fileless execution, loading directly into memory without leaving persistent files on disk. This characteristic makes VShell more challenging to detect through traditional file-based antivirus solutions and increases its stealth. Proofpoint has previously linked VShell to other China-linked cyber espionage campaigns. The use of fileless malware is a common tactic to increase stealth and reduce forensic artifacts, a strategy also observed in various sophisticated attacks targeting the education technology supply chain, as documented in our analysis of Payload ransomware victims in the EdTech sector.

The UNK_MassTraction group integrates built-in cleanup and persistence mechanisms into their attack chain. After executing, the malicious code clears traces from local storage and closes active sessions, minimizing forensic evidence. It also includes checks for prior infection by looking for a specific marker file in temporary directories. The command infrastructure used by the group, along with the presence of Chinese-language strings within the code, further supports the attribution of these activities to a China-aligned entity. This meticulous approach ensures sustained access and complicates incident response efforts for affected organizations.

Which Roundcube products and versions are affected by these vulnerabilities?

The research indicates that the UNK_MassTraction campaign specifically targets "vulnerable Roundcube mail servers" and relies on the compromise of the "vulnerable Roundcube webmail client." While explicit version numbers are not provided in the detailed findings, the presence of active exploitation means that any unpatched or outdated instance of Roundcube could be at risk.

Given the critical nature of CVE-2025-49113 (CVSS 9.8) and the severe implications of its exploitation, administrators are advised to treat any internet-exposed Roundcube deployment not running the latest security updates as potentially vulnerable.

  • Product: Roundcube Webmail Client
  • Vulnerability: CVE-2024-42009 (Cross-site Scripting, XSS)
  • Vulnerability: CVE-2025-49113 (Deserialization in Crypt_GPG component)
  • Affected Versions: Specific versions are not publicly detailed, but the campaign impacts "vulnerable Roundcube mail servers" and "vulnerable Roundcube webmail client" prior to the release of security patches for these specific CVEs.

How can these Roundcube exploits be detected?

Effective detection of the exploitation chain involving CVE-2024-42009 and CVE-2025-49113 requires a full and multi-layered monitoring strategy. Given the sophistication of the UNK_MassTraction group, organizations must implement strong logging and analysis capabilities across their network, endpoint, and application infrastructure.

  • Mail Server and Email Gateway Monitoring:
  • Monitor inbound emails for suspicious content, including obfuscated HTML, embedded JavaScript, or unusual onanimationstart attributes. While initial emails may come from compromised trusted sources, anomalies in message structure or headers could still be present.
  • Look for outbound connections from mail servers or user systems to external, potentially malicious, domains that align with IceCube's external JavaScript loading or C2 communications.
  • Review email gateway logs for messages containing suspicious URLs or attachments, even if they appear to originate from internal sources.
  • Web Server and Roundcube Application Log Analysis:
  • CVE-2024-42009 Exploitation: Analyze web server access logs for HTTP requests for external JavaScript files initiated from user sessions within the Roundcube application that deviate from normal application behavior. These requests indicate IceCube execution.
  • CVE-2025-49113 Exploitation: Monitor Roundcube application and web server logs for unusual write operations, file creations, or modifications within the Roundcube web directory, especially in plugin-like paths (e.g., plugins/) that would indicate SquareShell deployment.
  • Look for web server access logs showing requests to newly created or modified files in atypical directories, particularly those where timestamps may have been altered.
  • Identify and alert on any deserialization errors or anomalous activity reported by the Crypt_GPG component.
  • Endpoint Detection and Response (EDR) Systems:
  • VShell Detection: Implement EDR rules to identify and flag processes executing Go binaries directly in memory without corresponding on-disk files. Monitor for processes attempting to establish network connections from unusual parent processes or unexpected locations.
  • Detect activity related to the attacker's cleanup and persistence mechanisms, such as attempts to clear local storage, close active user sessions, or create/check for specific marker files in temporary directories.
  • Monitor for unusual outbound network connections from user workstations or servers that have recently accessed Roundcube, which could indicate data exfiltration by IceCube or VShell C2 communications.
  • Network Intrusion Detection/Prevention Systems (NIDS/NIPS) & Firewalls:
  • Integrate Proofpoint's provided Indicators of Compromise (IOCs), which include specific IP addresses, file hashes, URLs, and domain names, into NIDS, NIPS, and firewall rules.
  • Monitor for network connections to known malicious C2 infrastructure.
  • Identify unusual DNS queries or traffic patterns originating from university networks that correlate with known attacker infrastructure or the identified IOCs.
  • Threat Intelligence Integration:
  • Continuously update and use threat intelligence feeds that provide information on UNK_MassTraction and other China-aligned threat actors, particularly those targeting academic or research sectors.
  • Cross-reference internal logs with shared IOCs and threat actor tactics, techniques, and procedures (TTPs) to identify potential compromises and ongoing activity.

What is the remediation guidance for CVE-2024-42009 and CVE-2025-49113?

Immediate and thorough remediation is essential for organizations affected by the active exploitation of CVE-2024-42009 and CVE-2025-49113. A structured approach, prioritizing patching and complete compromise assessment, is necessary to mitigate the threat posed by the UNK_MassTraction group.

  • Patching and Updating:
  • Apply all available security patches for Roundcube that address CVE-2024-42009 and CVE-2025-49113. Confirm that the updated versions of the Roundcube webmail client and its Crypt_GPG component are correctly installed and operational.
  • Prioritize patching for any Roundcube instance that is exposed to the internet. If patching cannot be performed immediately, consider implementing temporary access restrictions, such as IP whitelisting, or deploying strong Web Application Firewall (WAF) rules to filter known malicious XSS payloads and deserialization attacks.
  • Compromise Assessment and Cleanup:
  • Log Review: Conduct a detailed review of mail server, web server, application, and network logs, paying close attention to activity since May 2026. Look for suspicious outbound connections, unusual email content, unauthorized file modifications, or creations.
  • Web Directory Inspection: Thoroughly examine all Roundcube web directories for new or modified files, particularly in plugin-like paths, or files with altered timestamps indicative of SquareShell deployment. Immediately quarantine and remove any unauthorized files.
  • Memory Analysis: Due to the fileless nature of VShell, perform memory forensics on any potentially compromised servers to identify and eradicate in-memory backdoors. While system reboots can clear fileless malware, they must be part of a broader incident response plan to prevent immediate re-infection.
  • Credential Reset: Mandate a password reset for all users, with a specific focus on administrators and professors in targeted departments, whose credentials or session tokens may have been compromised by IceCube. Enforce or implement multi-factor authentication (MFA) across all accounts if not already universally applied.
  • Session Invalidation: Invalidate all active user sessions on the Roundcube server to force re-authentication, thereby mitigating the risk posed by any stolen session cookies.
  • Network Segmentation: Isolate any identified compromised systems from the wider university network to contain the breach and prevent further lateral movement by the threat actor.
  • Threat Hunting: Actively hunt for all provided Indicators of Compromise (IOCs), including specific IP addresses, file hashes, URLs, and domain names, across all available network and endpoint logs.
  • Proactive Mitigations and Hardening:
  • Email Security Enhancements: Bolster email gateway security to improve detection and blocking of malicious attachments, suspicious URLs, or advanced phishing attempts. Implement and enforce email authentication protocols such as DMARC, SPF, and DKIM to counter email spoofing.
  • Web Application Firewall (WAF) Deployment: Position a WAF in front of all internet-facing Roundcube instances. Configure the WAF to detect and block XSS attack attempts (CVE-2024-42009) and suspicious deserialization payloads associated with CVE-2025-49113.
  • Principle of Least Privilege: Ensure that the Roundcube application and its underlying components operate with the minimum necessary privileges.
  • Regular Audits and Assessments: Conduct frequent security audits and vulnerability assessments of all internet-facing applications, especially webmail clients, to identify and address weaknesses proactively.
  • User Security Awareness Training: Educate all users, particularly those in high-risk departments, on identifying and reporting advanced phishing and social engineering techniques.

Technical Takeaways

  • The UNK_MassTraction campaign is actively exploiting CVE-2024-42009 (XSS, CVSS 6.1, Medium) and CVE-2025-49113 (Deserialization, CVSS 9.8, Critical) in Roundcube.
  • The attack targets US and Canadian universities, focusing on physics and engineering departments for sensitive research, using a multi-stage approach.
  • Initial compromise involves IceCube JavaScript for credential and session theft, followed by the deployment of SquareShell (PHP web shell) and the fileless VShell (Go-based backdoor).
  • The threat actor, identified as a China-aligned espionage group, employs sophisticated stealth techniques, including altered web shell timestamps, in-memory execution, and integrated cleanup mechanisms.
  • Effective defense requires immediate patching, full log analysis for IOCs, advanced endpoint detection, and strong email and web application security measures.