CVE: CVE-2024-42009 | CVSS 3.1: 9.3 (Critical) | Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N | CWE: CWE-79 (Cross-Site Scripting) | Vendor: Roundcube | Product: Roundcube Webmail | Affected versions: Through 1.5.7 and 1.6.x through 1.6.7 | Threat Actor: UNK_MassTraction (suspected China-aligned)
What Is the Vulnerability
CVE-2024-42009 is a Cross-Site Scripting (XSS) vulnerability in Roundcube webmail through versions 1.5.7 and 1.6.x through 1.6.7. A remote attacker can steal and send emails of a victim via a crafted email message that abuses a desanitization issue in the message_body() function. While patched since 2024, the vulnerability is now being actively exploited by a suspected China-aligned threat cluster tracked as UNK_MassTraction by Proofpoint.
Versions Affected
- Roundcube through 1.5.7
- Roundcube 1.6.x through 1.6.7
Patched versions have been available since 2024. Organisations still running unpatched versions are at risk.
Exploited?
Yes — actively exploited by a suspected China-aligned threat cluster. Proofpoint identified the UNK_MassTraction cluster actively exploiting this vulnerability against physics and engineering departments at U.S. and Canadian universities. The attackers use compromised senders and spoofed domains with lax DMARC policies. Post-exploitation activity includes credential harvesting, web shell deployment, and use of the VShell post-exploitation tool. The targeting of academic departments with national security or STEM research ties is consistent with China-nexus espionage operations.
Fix
Roundcube released patches in 2024 that address CVE-2024-42009.
- Primary fix: Update Roundcube to the latest patched version (1.6.8+ or 1.5.8+).
- Workaround: Review DMARC policies for all email domains to reduce spoofing risk. Implement web application firewall rules to detect XSS payloads.
Recommendations
- Update Roundcube: If running an unpatched version, update immediately — the fix has been available since 2024.
- Review DMARC policies: Ensure all email domains have strict DMARC policies (p=reject) to prevent spoofing.
- Monitor for web shells: Check Roundcube web directories for unauthorised files.
- University IT teams: Physics, engineering, and national security-related departments should treat this as an active threat.
References
- The Hacker News: Roundcube Exploitation
- NVD Entry for CVE-2024-42009
- Proofpoint UNK_MassTraction Report
Part of the Vulnerability Intelligence series on threat-modeling.com. July 7, 2026 Report.
