Roundcube Webmail actively exploited flaws (multiple vulnerabilities)
Vulnerability
Summary
Hide ▲
Show ▼
Roundcube Webmail is under active exploitation through CVE-2025-49113 and CVE-2025-68461, with attackers also chaining CVE-2024-42009 in phishing-driven intrusions. The activity has been tied to UNK_MassTraction targeting US and Canadian universities, especially physics and engineering departments, to steal credentials and gain network access. CISA placed the flaws in the Known Exploited Vulnerabilities (KEV) Catalog, and Roundcube released 1.6.12 and 1.5.12 to fix affected deployments.
Related Happenings
UNK_MassTraction Roundcube university exploitation campaign
Campaign
H score41
First: 07.07.2026 12:10
Last: 07.07.2026 12:10
Sources 1
How related:
The campaign has been observed since May and focuses on physics and engineering departments, administrators and professors, as well as organizations involved in astrophysics, particle physics, or national security-related research.
About this happening:
The **UNK_MassTraction** campaign is a **China-linked** activity targeting **Roundcube** webmail at **U.S. and Canadian universities** and related research organizations to steal...
UNK_MassTraction Roundcube university exploitation campaign
CampaignHow related: The campaign has been observed since May and focuses on physics and engineering departments, administrators and professors, as well as organizations involved in astrophysics, particle physics, or national security-related research.
About this happening: The **UNK_MassTraction** campaign is a **China-linked** activity targeting **Roundcube** webmail at **U.S. and Canadian universities** and related research organizations to steal...
IceCube, SNOWLIGHT, and VShell Roundcube post-exploitation chain
Malware Activity
H score36
First: 07.07.2026 12:10
Last: 07.07.2026 12:10
Sources 1
How related:
The JavaScript payload, tracked by Proofpoint as IceCube, was used to steal usernames, passwords, cookies and authentication data.
About this happening:
**IceCube** is a **Roundcube** post-exploitation activity targeting **U.S. and Canadian universities** and related research organizations, with observed use since **May** against...
IceCube, SNOWLIGHT, and VShell Roundcube post-exploitation chain
Malware ActivityHow related: The JavaScript payload, tracked by Proofpoint as IceCube, was used to steal usernames, passwords, cookies and authentication data.
About this happening: **IceCube** is a **Roundcube** post-exploitation activity targeting **U.S. and Canadian universities** and related research organizations, with observed use since **May** against...
CISA KEV mitigation for LiteSpeed cPanel Plugin (CVE-2026-54420)
Advisory/Mitigation
H score38
First: 16.06.2026 08:41
Last: 16.06.2026 08:41
Sources 1
About this happening:
CISA put **CVE-2026-54420** in **LiteSpeed cPanel Plugin** on the **KEV catalog**, ordering **FCEB agencies** to apply fixes by **June 18, 2026**. The flaw is a **CVSS 8.5 privile...
CISA KEV mitigation for LiteSpeed cPanel Plugin (CVE-2026-54420)
Advisory/MitigationAbout this happening: CISA put **CVE-2026-54420** in **LiteSpeed cPanel Plugin** on the **KEV catalog**, ordering **FCEB agencies** to apply fixes by **June 18, 2026**. The flaw is a **CVSS 8.5 privile...
CISA orders FCEB patching for CVE-2026-9082
Public Sector Action
H score70
First: 26.05.2026 11:46
Last: 26.05.2026 11:46
Sources 1
About this happening:
**CISA** added **CVE-2026-9082** to the **KEV Catalog** and ordered **FCEB agencies** to patch **Drupal** by **May 27**, turning an actively exploited flaw into a mandatory federa...
CISA orders FCEB patching for CVE-2026-9082
Public Sector ActionAbout this happening: **CISA** added **CVE-2026-9082** to the **KEV Catalog** and ordered **FCEB agencies** to patch **Drupal** by **May 27**, turning an actively exploited flaw into a mandatory federa...
CISA KEV order for Copy Fail on federal Linux devices
Public Sector Action
H score33
First: 08.05.2026 10:45
Last: 08.05.2026 10:45
Sources 1
About this happening:
**CISA** added **Copy Fail** to the **Known Exploited Vulnerabilities (KEV) Catalog**, making the Linux flaw a federal remediation priority. The agency ordered **federal agencies*...
CISA KEV order for Copy Fail on federal Linux devices
Public Sector ActionAbout this happening: **CISA** added **Copy Fail** to the **Known Exploited Vulnerabilities (KEV) Catalog**, making the Linux flaw a federal remediation priority. The agency ordered **federal agencies*...
Timeline
-
07.07.2026 18:40 2 articles · 2d ago
UNK_MassTraction exploits Roundcube mail servers at US and Canadian universities
Exploitation ObservedProofpoint tracked the China-aligned UNK_MassTraction cluster targeting US and Canadian universities, especially physics and engineering departments, by abusing vulnerable Roundcube mail servers. The campaign used phishing emails with malicious content to exploit CVE-2024-42009 and run the IceCube JavaScript payload to steal usernames, passwords, cookies and authentication data, then leveraged CVE-2025-49113 to deploy a webshell or install the VShell backdoor for follow-on access into victim networks.
Show sources
- Suspected Chinese Threat Group Targets Universities via Vulnerable Roundcube Servers — www.infosecurity-magazine.com — 07.07.2026 18:40
- Hackers exploit Roundcube flaw to spy on academic researchers — www.bleepingcomputer.com — 08.07.2026 21:56
-
23.02.2026 13:44 2 articles · 4mo ago
CISA flags Roundcube Webmail flaws and orders patching
Legal Policy Action UpdateCISA added CVE-2025-49113 and CVE-2025-68461 in Roundcube Webmail to its Known Exploited Vulnerabilities Catalog, said the flaws are actively exploited in attacks, and ordered Federal Civilian Executive Branch agencies to secure affected systems within three weeks, by March 13. Roundcube had already released versions 1.6.12 and 1.5.12 to fix the issues in Roundcube 1.6.x and 1.5.x installations.
Show sources
- CISA: Recently patched RoundCube flaws now exploited in attacks — www.bleepingcomputer.com — 23.02.2026 13:44
- CISA: Recently patched RoundCube flaws now exploited in attacks — www.bleepingcomputer.com — 23.02.2026 13:44