Nation State Hackers Exploit Zero-Day in Roundcube Webmail Software

Oct 25, 2023NewsroomThreat Intelligence / Vulnerability

Roundcube Webmail Software

The threat actor known as Winter Vivern was observed exploiting a zero-day flaw in the Roundcube webmail software on October 11, 2023, to harvest email messages from victims’ accounts.

“Winter Vivern enhanced its operations by exploiting a zero-day vulnerability in Roundcube,” ESET security researcher Matthieu Faou SAYS in a new report published today. Previously, it exploited known vulnerabilities in Roundcube and Zimbra, where proof-of-concepts were available online.


Winter Vivern, also known as TA473 and UAC-0114, is a hostile collective whose goals align with those of Belarus and Russia. In the past few months, it has been blamed for attacks against Ukraine and Poland, as well as government entities across Europe and India.

The group was also investigated for exploiting another Roundcube flaw in the past (CVE-2020-35730), making it the second nation-state group after APT28 to target open-source webmail software.

Roundcube Webmail Software

The new security vulnerability in question is CVE-2023-5631 (CVSS score: 5.4), a stored cross-site scripting flaw that could allow a remote attacker to load arbitrary JavaScript code. A fix was released on October 14, 2023.

The attack chains mounted by the group begin with a phishing message that includes a Base64-encoded payload of HTML source code that, in turn, decodes a JavaScript injection from a remote server by weaponizing the XSS error.

“In summary, by sending a specially crafted email message, attackers can load arbitrary JavaScript code in the context of Roundcube’s browser window,” Faou explained. “No manual interaction other than viewing the message in a web browser is required.”


The second stage JavaScript (checkupdate.js) is a loader that facilitates the execution of a final JavaScript payload that allows the threat actor to exfiltrate email messages to the command-and-control (C2) server.

“Despite the low efficiency of the group’s toolset, it is a threat to European governments because of its persistence, frequent running of phishing campaigns, and because many internet-facing applications are not always which is updated even if it is known to contain vulnerabilities,” said Faou.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment