Keypoints
- CVE-2024-37383 is a stored XSS vulnerability affecting Roundcube versions earlier than 1.5.6 and 1.6.x before 1.6.6 (CVSS 6.1).
- Attackers embedded hidden JavaScript (base64-encoded) in seemingly empty emails to bypass filters and execute code in victims’ browsers.
- Exploitation allowed attackers to inject fake login forms into Roundcube’s interface, harvesting user credentials and sending them to malicious domains.
- Phishing campaigns exploiting the flaw targeted government organizations in the Commonwealth of Independent States (CIS) region, observed in June 2024 and reported by researchers later.
- Known malicious infrastructure includes domains libcdn.org (credential exfiltration) and rcm.codes (mailbox content exfiltration).
- Researchers published a proof-of-concept demonstrating the XSS attack, and attackers also used the ManageSieve plugin to retrieve mailbox data from compromised accounts.
- Mitigation is available: update Roundcube to patched releases (1.5.7, 1.6.7) — newer releases such as 1.6.9 have also been published.
MITRE Techniques
- [T1566] Phishing – Brief use of deceptive emails to lure users into revealing credentials. [‘the phishing emails tricked recipients into revealing sensitive credentials by injecting fake login forms into Roundcube’s interface.’]
- [T1059.007] Cross-Site Scripting – Exploitation of stored XSS to execute malicious JavaScript in victims’ browsers. [‘Attackers embed JavaScript in what appears to be an empty email, using a malformed href attribute… allowing them to execute arbitrary code.’]
- [T1003] Credential Dumping – Harvesting user credentials via injected fake login forms in the webmail UI. [‘By embedding fake login forms in Roundcube’s interface, attackers can trick users into entering their credentials, which are then stolen.’]
- [T1213] Data from Information Repositories – Retrieving email content from compromised accounts using email-management plugins. [‘the attackers used the ManageSieve plugin to retrieve emails from compromised accounts.’]
Indicators of Compromise
- [Domain] Malicious command-and-control and exfiltration domains – libcdn.org (used to receive stolen credentials), rcm.codes (used to send mailbox content)
- [Vulnerable Software Versions] Targeted Roundcube releases – versions earlier than 1.5.6 and 1.6.x before 1.6.6 (patches available in 1.5.7, 1.6.7, and later)
- [Payload Type] Embedded/encoded malicious content in emails – base64-encoded JavaScript inside an invisible document attachment used to trigger the XSS
- [Plugin] Mail retrieval mechanism used by attackers – ManageSieve (used to fetch mailbox contents from compromised accounts)
A stored cross-site scripting vulnerability tracked as CVE-2024-37383 in Roundcube Webmail has been actively abused to mount credential-theft phishing campaigns. The flaw — rated CVSS 6.1 — affects Roundcube versions prior to 1.5.6 and 1.6.x releases before 1.6.6 and stems from improper handling of SVG elements and malformed href attributes in email content. Attackers exploited this parsing gap by embedding JavaScript into what appeared to be empty messages; an extra space in an href attribute allowed malicious code to slip past Roundcube’s filters and execute in the recipient’s browser.
In practice, the malicious emails contained an invisible document attachment with base64-encoded JavaScript that both downloaded a deceptive document and injected a counterfeit login form into the Roundcube interface. When users entered credentials into that form, the data was exfiltrated to attacker-controlled infrastructure — researchers linked credential submission to the domain libcdn.org (registered 6 June 2024 and hosted via Cloudflare) and identified rcm.codes as used to transmit mailbox contents. The campaign was observed targeting government organizations in the Commonwealth of Independent States (CIS) region, with phishing activity traced to June 2024 and subsequent analysis and proof-of-concept disclosure by security researchers.
Beyond credential harvesting via fake forms, attackers leveraged the ManageSieve plugin to retrieve emails from compromised accounts, broadening their access to mailbox content. The researchers released a PoC demonstrating how the stored XSS could be weaponized to perform these actions, underlining the practical risk even after a patch was made available.
To remediate the vulnerability, administrators should upgrade Roundcube to patched releases; the fix has been applied in versions 1.5.7 and 1.6.7, and later releases such as 1.6.9 are available. Maintaining updated software, monitoring external-facing assets, and auditing email handling and plugins (including ManageSieve) are essential steps to reduce exposure. Solutions that continuously map and monitor an organization’s attack surface can help discover forgotten or unmonitored assets that might otherwise become footholds for attackers.