China-Aligned Hackers Exploit Roundcube Flaws to Target U.S. and Canadian Universities
UNK_MassTraction exploits CVE-2024-42009 and CVE-2025-49113 in Roundcube webmail to compromise physics and engineering departments, deploying VShell and SquareShell for persistent access.
Attack Brief
TargetRoundcube webmail software at U.S. and Canadian universitiesVectorExploitation of critical XSS and remote code execution vulnerabilities (CVE-2024-42009, CVE-2025-49113) via phishing emails targeting university administrators and professorsAttributionUNK_MassTraction (suspected China-aligned threat cluster)
Technical Details
CVE IDsCVE-2024-42009CVE-2025-49113MITRE ATT&CKT1566.002T1203T1598.003T1056.004T1190T1505.003IoCsplugins/newmail_notifier/mail_preview.phpAffectedRoundcube webmail versions susceptible to CVE-2024-42009 (CVSS 9.3) and CVE-2025-49113 (CVSS 9.9)
Impact
Affected OrganisationsPhysics and engineering departments at U.S. and Canadian universities with national security ties or astrophysics/particle physics research focusSectorsHigher EducationResearchGeographyUnited StatesCanada
Mitigation
PatchesApply patches for CVE-2024-42009Apply patches for CVE-2025-49113DetectionMonitor for HTTP POST requests exfiltrating credentials, 2FA tokens, and cookies; detect SquareShell and VShell deployment via plugins/newmail_notifier/mail_preview.php endpoint; identify CSRF token abuse in post-authenticated RCE exploitation chains
Context
Similar AttacksExploitation of Roundcube vulnerabilities as pivot points for network intrusion; use of credential harvesting payloads (IceCube) followed by post-exploitation tool deployment
Source
https://thehackernews.com/2026/07/suspected-china-aligned-hackers-exploit.htmlby Proofpoint (researchers Greg Lesnewich and Mark Kelly)on 2026-07-07T00:00:00Z2 sources