Chinese Espionage Targets Universities via Roundcube Exploits

Chinese Espionage Targets Universities via Roundcube Exploits

First seen 7 Jul 2026, 12:27 UTC Cyberscoopwww.proofpoint.com 79% similarity 77.0

Article Content

Browse articles
ThreatCluster

A China-aligned threat group exploited vulnerabilities in Roundcube to infiltrate U.S. and Canadian universities, particularly targeting physics and engineering departments. The campaign, tracked as UNK_MassTraction, began in May 2026 and utilized CVE-2024-42009 to execute JavaScript in victims' browsers and CVE-2025-49113 to gain access to mail servers. Less than 10 universities have confirmed breaches, but many more may be affected. The attackers employed generic email lures to initiate the exploit, which only required victims to open the emails. The operation aims to steal sensitive data and establish long-term access via webshells and backdoors. Researchers noted the use of a covert network linked to multiple China-aligned groups and the presence of Chinese language artifacts in the phishing emails. The campaign is ongoing, with many victims potentially unaware of the attacks.

Key Points: • China-aligned attackers exploited Roundcube vulnerabilities targeting university departments. • The campaign, UNK_MassTraction, began in May 2026 and is still ongoing. • Less than 10 universities confirmed breaches, but many more may be impacted.

ThreatCluster AI

Timeline

2023-05-24
CVE-2023-2868 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2024-08-05
CVE-2024-42009 published
A cross-site scripting vulnerability in Roundcube was disclosed, allowing JavaScript execution.
Proofpoint
2025-06-02
CVE-2025-49113 published
A critical vulnerability in Roundcube was published, enabling exploitation for server access.
Proofpoint
2025-06-09
CVE-2024-42009 added to CISA KEV
CISA listed CVE-2024-42009 as actively exploited, raising awareness of the threat.
Proofpoint
2026-02-20
CVE-2025-49113 added to CISA KEV
CISA confirmed active exploitation of CVE-2025-49113, highlighting its critical nature.
Proofpoint
2026-07-07
Ongoing attacks reported
Proofpoint reported ongoing espionage attacks targeting universities, with many victims unaware.
Cyberscoop

Community

Browse all →