Chinese Threat Group Exploits Roundcube Vulnerabilities in University Networks

Chinese Threat Group Exploits Roundcube Vulnerabilities in University Networks

First seen 7 Jul 2026, 12:27 UTC CyberscoopInfosecurity-Magazinewww.proofpoint.comnvd.nist.gov 87% similarity 77.0

Article Content

Browse articles
ThreatCluster

A suspected China-aligned threat group, tracked as UNK_MassTraction, has been exploiting vulnerabilities in Roundcube mail servers at U.S. and Canadian universities since May 2026. The campaign targets physics and engineering departments linked to national security, using phishing emails to exploit CVE-2024-42009, a cross-site scripting vulnerability. This allows attackers to execute JavaScript in victims' browsers, leading to credential theft and network access via CVE-2025-49113, a deserialization vulnerability. Proofpoint identified less than 10 confirmed victims but estimates that dozens of universities may be affected. The attackers employed generic lures in emails to trigger the initial access, indicating a broader targeting strategy. The campaign is ongoing, with researchers warning that many victims may remain unaware of the compromises.

Key Points: • Suspected China-aligned group UNK_MassTraction exploits Roundcube vulnerabilities. • Targeted departments include physics and engineering at U.S. and Canadian universities. • Attackers use phishing emails to exploit CVE-2024-42009 and CVE-2025-49113 for credential theft.

ThreatCluster AI

Timeline

2023-05-24
CVE-2023-2868 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2024-08-05
CVE-2024-42009 published
A cross-site scripting vulnerability in Roundcube allows remote attackers to steal emails via crafted messages.
nvd.nist.gov
2025-06-02
CVE-2025-49113 published
A deserialization vulnerability in Roundcube allows remote code execution by authenticated users.
nvd.nist.gov
2025-06-09
CVE-2024-42009 added to CISA KEV
CISA classified CVE-2024-42009 as actively exploited, raising awareness of the vulnerability.
nvd.nist.gov
2026-02-20
CVE-2025-49113 added to CISA KEV
CISA classified CVE-2025-49113 as actively exploited, indicating significant risk to affected systems.
nvd.nist.gov
2026-07-07
Proofpoint reports ongoing attacks
Proofpoint confirms ongoing exploitation of Roundcube vulnerabilities targeting universities, with potential for broader impact.
Proofpoint

Community

Browse all →