UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign
Essential information
- Published
- 05/06/2025 22:36
- Modified
- 08/06/2025 16:33
- Tags
- 2025-06-05 CVE-2024-42009 CVE-2025-49113 credential-theft poland roundcube spearphishing unc1151 vulnerability exploitation
- Related entities
- 2 vulnerabilities (cve), 3 observables, 1 intrusion sets (apt), 6 techniques (mitre), 2 others
Description
A spear phishing campaign targeting Polish entities has been observed, exploiting the CVE-2024-42009 vulnerability in Roundcube to steal user credentials. The campaign, attributed to UNC1151, involves sending emails with malicious JavaScript that installs a Service Worker in the victim's browser. This worker intercepts login attempts and sends credentials to the attackers. The exploit allows code execution when an email is opened. A new vulnerability, CVE-2025-49113, has also been discovered in Roundcube, potentially creating a more effective attack chain. The attackers use harvested credentials to analyze mailboxes, download address books, and spread further phishing messages. Organizations using Roundcube are advised to update their installations and review logs for indicators of compromise.