CVE-2024-37383

What is Roundcube Webmail?

Roundcube is an open-source webmail client widely deployed by hosting providers, ISPs, and government organizations — particularly in Eastern Europe. It provides a browser-based interface for reading, composing, and managing email. Roundcube is especially prevalent in Ukrainian government ministries, NGOs, and media organizations, making it a recurring target for Russian-nexus APT groups conducting surveillance operations against Ukrainian entities. APT28 (Fancy Bear / GruesomeLarch), a GRU-affiliated group, has exploited multiple Roundcube XSS vulnerabilities over consecutive years as part of targeted intelligence collection campaigns.

Overview

CVE-2024-37383 is a cross-site scripting (XSS) vulnerability in Roundcube Webmail arising from insufficient filtering of SVG <animate> element attributes. When a specially crafted HTML email containing a malicious SVG is opened in Roundcube, the embedded JavaScript executes in the victim's browser in the webmail's origin context — enabling session token theft, email exfiltration, and account takeover. ESET Research confirmed exploitation by APT28 targeting Ukrainian government organizations, prompting CISA to add the vulnerability to KEV in October 2024 — five months after the patch was available.

Affected Versions

Technical Details

CWE-79 (Cross-Site Scripting). Roundcube's HTML email sanitizer improperly handles SVG <animate> elements — specifically, attribute values within <animate> tags are not fully escaped or filtered, allowing JavaScript event handlers or script-bearing attribute values to survive the sanitization pass and execute when the browser renders the SVG within the email view. When the victim opens the malicious email in Roundcube, the injected script executes in the webmail's origin context (S:C — Scope Changed), giving the attacker JavaScript execution within the domain hosting Roundcube.

Executing JavaScript in the webmail origin allows the attacker to: steal session cookies and authentication tokens (for account takeover), silently read and exfiltrate emails, send emails impersonating the victim, and access server-side APIs in Roundcube's PHP backend with the victim's session. For government officials whose email passes through Roundcube, this constitutes full surveillance access to their correspondence.

Discovery

Identified and reported to Roundcube; patched in May 2024. Exploitation was confirmed by ESET Research, who observed APT28 using this XSS in targeted campaigns against Ukrainian government email. The October 2024 KEV addition followed ESET's reporting, which documented APT28's continued pattern of weaponizing Roundcube vulnerabilities — including prior exploits in 2023 (CVE-2023-5631) and earlier years, establishing a sustained campaign against Roundcube-using government organizations.

Exploitation Context

APT28 (GRU Unit 26165, also tracked as Fancy Bear, Sofacy, STRONTIUM) is a Russian military intelligence cyber operation unit with a long-documented history of targeting Ukrainian government, military, media, and NGO email infrastructure. Their Roundcube exploitation pattern is operationally efficient: send a single specially crafted email to a target; if the target opens it in Roundcube, the attacker gains persistent session access to the target's email account without any additional interaction. The Scope Changed (S:C) rating reflects that the script runs in the webmail's browser context — crossing from attacker-controlled email content into the victim's authenticated webmail session.

This vulnerability is part of a multi-year APT28 campaign systematically targeting Roundcube as a surveillance tool against Ukrainian government communications.

Remediation

1. Upgrade Roundcube to version 1.5.7 or 1.6.7 immediately — the patch has been available since May 2024.
2. Review Roundcube access logs for the period between the vulnerability's introduction and patching — look for unusual email access patterns, unexpected logins from new IPs, or evidence of mass email exfiltration.
3. Invalidate all active Roundcube sessions after upgrading to force re-authentication and expire any attacker-held session tokens.
4. Consider restricting Roundcube access to VPN or trusted IP ranges where organizational policy allows — reducing the attack surface by limiting who can interact with the XSS delivery vector.
5. For high-risk organizations (Ukrainian government, defense, NGOs), treat any unpatched Roundcube instance as potentially compromised and perform a full forensic review of email access logs.
6. Migrate to a more actively maintained webmail solution with a dedicated security team if Roundcube upgrades cannot be applied promptly — the pattern of recurring APT28 exploitation reflects long-term targeting that will continue.