CVE-2024-42009 (CVSS 9.3): China-Aligned UNK_MassTraction Cluster Exploiting Roundcube Webmail Against US and Canadian Universities

CVE-2024-42009 (CVSS 9.3): China-Aligned UNK_MassTraction Cluster Exploiting Roundcube Webmail Against US and Canadian Universities

CVE: CVE-2024-42009 | CVSS 3.1: 9.3 (Critical) | Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N | CWE: CWE-79 (Cross-Site Scripting) | Vendor: Roundcube | Product: Roundcube Webmail | Affected versions: Through 1.5.7 and 1.6.x through 1.6.7 | Threat Actor: UNK_MassTraction (suspected China-aligned)


What Is the Vulnerability

CVE-2024-42009 is a Cross-Site Scripting (XSS) vulnerability in Roundcube webmail through versions 1.5.7 and 1.6.x through 1.6.7. A remote attacker can steal and send emails of a victim via a crafted email message that abuses a desanitization issue in the message_body() function. While patched since 2024, the vulnerability is now being actively exploited by a suspected China-aligned threat cluster tracked as UNK_MassTraction by Proofpoint.


Versions Affected

  • Roundcube through 1.5.7
  • Roundcube 1.6.x through 1.6.7

Patched versions have been available since 2024. Organisations still running unpatched versions are at risk.


Exploited?

Yes — actively exploited by a suspected China-aligned threat cluster. Proofpoint identified the UNK_MassTraction cluster actively exploiting this vulnerability against physics and engineering departments at U.S. and Canadian universities. The attackers use compromised senders and spoofed domains with lax DMARC policies. Post-exploitation activity includes credential harvesting, web shell deployment, and use of the VShell post-exploitation tool. The targeting of academic departments with national security or STEM research ties is consistent with China-nexus espionage operations.


Fix

Roundcube released patches in 2024 that address CVE-2024-42009.

  • Primary fix: Update Roundcube to the latest patched version (1.6.8+ or 1.5.8+).
  • Workaround: Review DMARC policies for all email domains to reduce spoofing risk. Implement web application firewall rules to detect XSS payloads.

Recommendations

  • Update Roundcube: If running an unpatched version, update immediately — the fix has been available since 2024.
  • Review DMARC policies: Ensure all email domains have strict DMARC policies (p=reject) to prevent spoofing.
  • Monitor for web shells: Check Roundcube web directories for unauthorised files.
  • University IT teams: Physics, engineering, and national security-related departments should treat this as an active threat.

References


Part of the Vulnerability Intelligence series on threat-modeling.com. July 7, 2026 Report.

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!