Executive Summary
In May 2026, Proofpoint researchers identified a cyber-espionage campaign targeting physics and engineering departments at U.S. and Canadian universities. The attackers, attributed to a China-aligned group known as UNK_MassTraction, exploited two critical vulnerabilities in the Roundcube email client—CVE-2024-42009 and CVE-2025-49113—to gain unauthorized access. By sending crafted emails, they executed malicious JavaScript and achieved remote code execution, leading to the installation of webshells and backdoors for persistent access. The campaign is ongoing, with several universities potentially affected.
This incident underscores the evolving tactics of state-sponsored threat actors, who are increasingly targeting academic institutions to access sensitive research data. The use of email-based exploit chains to compromise mail servers highlights the need for robust email security measures and prompt patching of known vulnerabilities to mitigate such threats.
Why This Matters Now
The exploitation of Roundcube vulnerabilities by state-sponsored actors targeting academic institutions emphasizes the critical need for timely software updates and enhanced email security protocols to protect sensitive research data from espionage activities.
Attack Path Analysis
Attackers exploited Roundcube vulnerabilities via malicious emails, escalating privileges to deploy webshells, moving laterally within university networks, establishing command and control channels, exfiltrating sensitive data, and potentially causing operational disruptions.
Kill Chain Progression
Initial Compromise
Description
Attackers sent malicious emails exploiting CVE-2024-42009, allowing JavaScript execution when the email was opened.
Related CVEs
CVE-2024-42009
CVSS 9.3A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7 allows a remote attacker to steal and send emails of a victim via a crafted e-mail message that abuses a desanitization issue in message_body() in program/actions/mail/show.php.
Affected Products:
Roundcube Webmail – <= 1.5.7, 1.6.0 - 1.6.7
Exploit Status:
exploited in the wildCVE-2025-49113
CVSS 8.8Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Affected Products:
Roundcube Webmail – < 1.5.10, 1.6.0 - 1.6.10
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter: JavaScript
Server Software Component: Web Shell
Valid Accounts
Application Layer Protocol: Web Protocols
Email Collection
Automated Exfiltration
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Asset Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Higher Education/Acadamia
Direct target of Chinese state-sponsored espionage exploiting Roundcube vulnerabilities in physics/engineering departments, requiring enhanced email security and zero trust segmentation.
Defense/Space
High-value target for espionage campaigns targeting astrophysics research with national security implications, vulnerable to credential theft and persistent access via webshells.
Research Industry
Critical exposure to state-sponsored attacks seeking sensitive research data through email-based exploit chains, necessitating egress security and multicloud visibility controls.
Government Administration
Secondary impact through compromised university partnerships and research collaborations, facing lateral movement risks and encrypted traffic monitoring requirements for data protection.
Sources
- Suspected Chinese espionage group used a Roundcube exploit chain to burrow into universitieshttps://cyberscoop.com/china-espionage-attacks-us-canada-universities-proofpoint/Verified
- CVE-2024-42009 - RoundCube Webmail Cross-Site Scripting Vulnerability - [Actively Exploited]https://cvefeed.io/vuln/detail/CVE-2024-42009Verified
- Vulnerability impacting Roundcube Webmail – CVE-2025-49113https://www.cyber.gc.ca/en/alerts-advisories/vulnerability-impacting-roundcube-webmail-cve-2025-49113Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-based access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities via malicious emails would likely be constrained by enforcing strict identity-based access controls and segmentation.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and deploy webshells would likely be constrained by enforcing strict segmentation and identity-based access controls.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network would likely be constrained by enforcing strict east-west traffic controls.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels would likely be constrained by enforcing strict visibility and control across multicloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained by enforcing strict egress security policies.
The overall impact of unauthorized access and data theft would likely be constrained by enforcing comprehensive Zero Trust policies.
Impact at a Glance
Affected Business Functions
- Email Communication
- Research Data Management
- Network Security
Estimated downtime: 7 days
Estimated loss: $500,000
Sensitive research data related to astrophysics and particle physics, potentially including proprietary information and national security-related communications.
Recommended Actions
Key Takeaways & Next Steps
- • Implement East-West Traffic Security to monitor and control lateral movement within the network.
- • Deploy Zero Trust Segmentation to enforce least privilege access and limit attacker movement.
- • Utilize Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
- • Apply Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Ensure regular patching and vulnerability management to mitigate known exploits.



