Recent observations reveal attempts by unknown threat actors to exploit a security flaw in Roundcube webmail software for phishing attacks aimed at stealing user credentials.
Positive Technologies, a Russian cybersecurity company, identified an email sent to a governmental organization in a CIS country last month, originating from June 2024.
An analysis showed that the email contained no text but had an attached document. Unique tags with eval(atob(…)) were present in the body, encoding and executing JavaScript code.
The attack exploits CVE-2024-37383 (CVSS score: 6.1), a stored XSS vulnerability, enabling execution of arbitrary JavaScript via SVG animate attributes in the victim’s browser context.
The issue has been resolved in Roundcube versions 1.5.7 and 1.6.7 since May 2024.
By injecting JavaScript code in the “href” value, attackers can execute it when a malicious email is opened. The payload collects user credentials and exfiltrates them to a remote server.
The perpetrators behind the exploitation remain unidentified, but previous Roundcube vulnerabilities have been exploited by various hacking groups.
Despite being less popular, Roundcube webmail remains a target for cybercriminals due to its use by government agencies.
