UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign

SUMMARY :

A spear phishing campaign targeting Polish entities has been observed, exploiting the CVE-2024-42009 vulnerability in Roundcube to steal user credentials. The campaign, attributed to UNC1151, involves sending emails with malicious JavaScript that installs a Service Worker in the victim's browser. This worker intercepts login attempts and sends credentials to the attackers. The exploit allows code execution when an email is opened. A new vulnerability, CVE-2025-49113, has also been discovered in Roundcube, potentially creating a more effective attack chain. The attackers use harvested credentials to analyze mailboxes, download address books, and spread further phishing messages. Organizations using Roundcube are advised to update their installations and review logs for indicators of compromise.

OPENCTI LABELS :

credential theft,roundcube,spearphishing,poland,vulnerability exploitation,unc1151,cve-2024-42009,cve-2025-49113


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign