CVE-2020-35730

Vulnerability updated 7 months ago (2024-05-04T16:27:21.727Z)

Download STIX

Preview STIX

CVE-2020-35730 is a Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail, first discovered three years ago. The flaw has been actively exploited by threat actors in various campaigns. In the BlueDelta and APT28 campaigns, spear-phishing techniques were employed, with email attachments designed to exploit this vulnerability, along with CVE-2020-12641 and CVE-2021-44026, in the Roundcube email client. Upon opening these malicious emails, the vulnerabilities were triggered, enabling threat actors to run reconnaissance and exfiltration scripts, redirect incoming emails, and gather session cookies, user information, and address books. The threat actor Winter Vivern was observed exploiting this vulnerability, along with CVE-2023-5631, since October 11, 2023. The group manipulated news about the Russo-Ukrainian conflict to trick targets into opening harmful emails that leveraged these vulnerabilities. ESET researchers noted that besides known vulnerabilities in Roundcube [CVE-2020-35730], the group also took advantage of another XSS vulnerability in Zimbra [CVE-2022-27926]. Protection against these threats is provided by Check Point IPS blade and Threat Emulation, specifically for Roundcube Webmail Command Injection (CVE-2020-12641), Roundcube Webmail Cross-Site Scripting (CVE-2020-35730), and APT.Wins.Nobelium. As these vulnerabilities have been widely exploited, it's crucial for organizations using affected software to apply necessary patches and employ defensive measures to mitigate potential risks.

Description last updated: 2024-05-04T16:05:07.157Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

roundcube

Exploit

Reconnaissance

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT28 Threat Actor is associated with CVE-2020-35730. APT28, also known as Fancy Bear and Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia with a history of cyber-espionage activities. The group has been involved in several high-profile attacks, including the hacking of the Democratic National Committee (DNC)	Targets	3

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

Alias Description	Association Type	Votes
The CVE-2020-12641 Vulnerability is associated with CVE-2020-35730. CVE-2020-12641 is a significant vulnerability discovered in the Roundcube Webmail application. It is an issue that arises from a flaw in the software's design or implementation, which allows for Command Injection and Cross-Site Scripting (XSS) attacks (CVE-2020-35730). The exploitation of this vulne	Unspecified	5
The vulnerability CVE-2021-44026 is associated with CVE-2020-35730.	Unspecified	4
The CVE-2023-5631 Vulnerability is associated with CVE-2020-35730. CVE-2023-5631 is a software vulnerability that was identified and reported by ESET CNA on October 18, 2023. This flaw exists in the design or implementation of Roundcube webmail servers. The vulnerability can be exploited through specially crafted email messages, posing significant security risks.	is related to	2

Source Document References

Information about the CVE-2020-35730 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securityaffairs	7 months ago	NATO and the EU formally condemned APT28 cyber espionage
Securityaffairs	a year ago	Russia's APT8 exploited Outlook 0day to target EU NATO members
Securityaffairs	a year ago	Russia-linked APT28 group spotted exploiting Outlook flaw to hijack MS Exchange accounts
CERT-EU	a year ago	Advanced threat predictions for 2024 – GIXtools
Securelist	a year ago	Kaspersky Security Bulletin: APT predictions 2024
CERT-EU	a year ago	Winter Vivern’s Roundcube Zero-Day Exploits
CERT-EU	a year ago	Several French critical networks subjected to Russian APT attacks
Securityaffairs	a year ago	ANSSI warns of Russia-linked APT28 attacks on French entities
CERT-EU	a year ago	Roundcube 0-day used to steal European government emails
CERT-EU	a year ago	Russian hacking group seen exploiting Roundcube webmail zero-day
Securityaffairs	a year ago	Winter Vivern APT exploited zero-day in Roundcube webmail software in recent attacks
CERT-EU	a year ago	Pro-Russia group exploits zero-day in attacks on gov emails
CERT-EU	a year ago	Winter Vivern APT exploits Rouncube zero-day in attacks on European entities
InfoSecurity-magazine	a year ago	Winter Vivern: Zero-Day XSS Exploit Targets Roundcube Servers
CERT-EU	a year ago	Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers
CERT-EU	a year ago	Roundcube webmail zero-day exploited to spy on government entities (CVE-2023-5631) - Help Net Security
Checkpoint	a year ago	3rd July – Threat Intelligence Report - Check Point Research
CERT-EU	a year ago	Microsoft warns of rise in credential stealing attacks by Russia-linked group
CERT-EU	a year ago	Several bugs added to CISA vulnerability catalog
Securityaffairs	a year ago	CISA adds recently disclosed Apple flaws to its Known Exploited Vulnerabilities catalog