CVE-2020-35730

Vulnerability Profile Updated a month ago
Download STIX
Preview STIX
CVE-2020-35730 is a Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail, first discovered three years ago. The flaw has been actively exploited by threat actors in various campaigns. In the BlueDelta and APT28 campaigns, spear-phishing techniques were employed, with email attachments designed to exploit this vulnerability, along with CVE-2020-12641 and CVE-2021-44026, in the Roundcube email client. Upon opening these malicious emails, the vulnerabilities were triggered, enabling threat actors to run reconnaissance and exfiltration scripts, redirect incoming emails, and gather session cookies, user information, and address books. The threat actor Winter Vivern was observed exploiting this vulnerability, along with CVE-2023-5631, since October 11, 2023. The group manipulated news about the Russo-Ukrainian conflict to trick targets into opening harmful emails that leveraged these vulnerabilities. ESET researchers noted that besides known vulnerabilities in Roundcube [CVE-2020-35730], the group also took advantage of another XSS vulnerability in Zimbra [CVE-2022-27926]. Protection against these threats is provided by Check Point IPS blade and Threat Emulation, specifically for Roundcube Webmail Command Injection (CVE-2020-12641), Roundcube Webmail Cross-Site Scripting (CVE-2020-35730), and APT.Wins.Nobelium. As these vulnerabilities have been widely exploited, it's crucial for organizations using affected software to apply necessary patches and employ defensive measures to mitigate potential risks.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
roundcube
Exploit
Reconnaissance
Spearphishing
Ukraine
Eset
Zimbra
Vulnerability
Microsoft
exploited
Phishing
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT28Targets
3
APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor group that has been active since 2007. This Russia-linked entity targets governments, militaries, and security organizations worldwide with malicious intent. In recent years, the group has
BluedeltaUnspecified
1
Bluedelta is a threat actor associated with the Russian state-sponsored hacking operation APT28 or Fancy Bear. In a recent spear-phishing campaign that began in November 2021, several government entities and a military aviation organization in Ukraine had their email servers targeted by Bluedelta. T
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2020-12641Unspecified
5
CVE-2020-12641 is a significant vulnerability discovered in the Roundcube Webmail application. It is an issue that arises from a flaw in the software's design or implementation, which allows for Command Injection and Cross-Site Scripting (XSS) attacks (CVE-2020-35730). The exploitation of this vulne
CVE-2021-44026Unspecified
4
None
CVE-2023-5631is related to
2
CVE-2023-5631 is a software vulnerability that was identified and reported by ESET CNA on October 18, 2023. This flaw exists in the design or implementation of Roundcube webmail servers. The vulnerability can be exploited through specially crafted email messages, posing significant security risks.
CVE-2022-27926Unspecified
1
CVE-2022-27926 is a software vulnerability identified in Zimbra instances. This flaw in software design or implementation has been exploited by Winter Vivern (also known as TA473), a Russian hacking group, to gain unauthorized access to sensitive email communications. The targets of this cyber espio
FollinaUnspecified
1
Follina, also known as CVE-2022-30190, is a notable software vulnerability that was discovered and exploited in the first half of 2022. This flaw, found in the Microsoft Windows Support Diagnostic Tool (MSDT), was weaponized by TA413, a cyber threat actor group with suspected ties to China. The grou
Source Document References
Information about the CVE-2020-35730 Vulnerability was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
8 months ago
Roundcube 0-day used to steal European government emails
Securityaffairs
a year ago
CISA adds recently disclosed Apple flaws to its Known Exploited Vulnerabilities catalog
CERT-EU
a year ago
Several bugs added to CISA vulnerability catalog
Recorded Future
a year ago
BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities | Recorded Future
CERT-EU
7 months ago
Advanced threat predictions for 2024 – GIXtools
CERT-EU
8 months ago
Several French critical networks subjected to Russian APT attacks
Securityaffairs
a year ago
APT28 hacked Roundcube email servers of Ukrainian entities
Checkpoint
a year ago
3rd July – Threat Intelligence Report - Check Point Research
CERT-EU
a year ago
Russia’s APT28 breached Ukrainian orgs via RoundCube flaws
BankInfoSecurity
a year ago
Ukraine Tracks Multiple Spear-Phishing Campaigns From Russia
Securityaffairs
a month ago
NATO and the EU formally condemned APT28 cyber espionage
CERT-EU
a year ago
CISA Tells US Agencies to Patch Exploited Roundcube, VMware Flaws
CERT-EU
8 months ago
Winter Vivern APT exploits Rouncube zero-day in attacks on European entities
CERT-EU
8 months ago
Russian hacking group seen exploiting Roundcube webmail zero-day
CERT-EU
a year ago
Governmental Agencies Ordered by CISA to Patch Vulnerabilities Exploited by Russian APT Groups
CERT-EU
a year ago
Russian hackers breach Ukrainian government and military entities
Securityaffairs
8 months ago
Winter Vivern APT exploited zero-day in Roundcube webmail software in recent attacks
CERT-EU
8 months ago
Roundcube webmail zero-day exploited to spy on government entities (CVE-2023-5631) - Help Net Security
CERT-EU
a year ago
CISA Adds Six Known Exploited Vulnerabilities to Catalog | CISA
InfoSecurity-magazine
8 months ago
Winter Vivern: Zero-Day XSS Exploit Targets Roundcube Servers