CVE-2021-44026
published 2021-11-19CVE-2021-44026: Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-07-13
Exploited in the wild
EPSS
42.91%
98.6th percentile
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | roundcube | < roundcube 1.5.0+dfsg.1-1 (bookworm) | roundcube 1.5.0+dfsg.1-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| roundcube | webmail | < 1.3.17 | 1.3.17 |
| roundcube | webmail | >= 1.4.0 < 1.4.12 | 1.4.12 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit delivered via spearphishing email attachment containing JavaScript code that executes additional JavaScript payloads from attacker-controlled infrastructure, exploiting CVE-2021-44026 (SQL injection via search/search_params) in Roundcube ↗
- →Post-exploitation activity includes redirecting incoming emails to attacker-controlled addresses and harvesting session cookies, user information, and address books from Roundcube ↗
- →CVE-2021-44026 exploited as SQL injection via Roundcube search or search_params parameter; monitor for anomalous SQL-like patterns in Roundcube search requests ↗
- →CVE-2021-44026 was used in a confirmed data breach to exfiltrate over one million user records from a Roundcube deployment; monitor for large-scale unauthorized database reads via Roundcube ↗
- →APT28/BlueDelta used CVE-2021-44026 alongside CVE-2020-12641 and CVE-2020-35730 in chained Roundcube exploitation; detection of any one should prompt investigation for the others ↗
- →Sender email address ukraine_news@meta[.]ua used as a lure in spearphishing campaigns exploiting CVE-2021-44026; flag inbound emails from this address ↗
- ·CVE-2021-44026 affects Roundcube versions before 1.3.17 and 1.4.x before 1.4.12; patched versions are not vulnerable to this SQL injection vector ↗
- ·IP address observability windows are time-bounded; infrastructure may have rotated — treat older IPs (pre-2022) with lower confidence for current blocking ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Roundcube Webmail SQL Injection Vulnerability
cisa·2023-06-22·CVSS 9.8
CVE-2021-44026 [CRITICAL] CWE-89 Roundcube Webmail SQL Injection Vulnerability
Vulnerability: Roundcube Webmail SQL Injection Vulnerability
Affected: Roundcube Roundcube Webmail
Roundcube Webmail is vulnerable to SQL injection via search or search_params.
Required Action: Apply updates per vendor instructions.
Notes: https://roundcube.net/news/2021/11/12/security-updates-1.4.12-and-1.3.17-released; https://nvd.nist.gov/vuln/detail/CVE-2021-44026
Remediation Due Date: 2023-07-13
Ubuntu
Roundcube Webmail vulnerabilities
vendor_ubuntu·2022-08-08·CVSS 6.1
CVE-2020-13964 [MEDIUM] Roundcube Webmail vulnerabilities
Title: Roundcube Webmail vulnerabilities
Summary: Several security issues were fixed in Roundcube Webmail.
It was discovered that Roundcube Webmail allowed JavaScript code to be present
in the CDATA of an HTML message. A remote attacker could possibly use this
issue to execute a cross-site scripting (XSS) attack. This issue only affected
Ubuntu 16.04 ESM, Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-12625)
It was discovered that Roundcube Webmail incorrectly processed login and
logout POST requests. An attacker could possibly use this issue to launch a
cross-site request forgery (CSRF) attack and force an authenticated user to be
logged out. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 ESM and
Ubuntu 20.04 ESM. (CVE-2020-12626)
It was discovered that Roundcube Webmail in
Debian
CVE-2021-44026: roundcube - Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL inje...
vendor_debian·2021·CVSS 9.8
CVE-2021-44026 [CRITICAL] CVE-2021-44026: roundcube - Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL inje...
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
Scope: local
bookworm: resolved (fixed in 1.5.0+dfsg.1-1)
bullseye: resolved (fixed in 1.4.12+dfsg.1-1~deb11u1)
forky: resolved (fixed in 1.5.0+dfsg.1-1)
sid: resolved (fixed in 1.5.0+dfsg.1-1)
trixie: resolved (fixed in 1.5.0+dfsg.1-1)
OSV
roundcube vulnerabilities
osv·2022-08-08·CVSS 6.1
CVE-2020-12625 [MEDIUM] roundcube vulnerabilities
roundcube vulnerabilities
It was discovered that Roundcube Webmail allowed JavaScript code to be present
in the CDATA of an HTML message. A remote attacker could possibly use this
issue to execute a cross-site scripting (XSS) attack. This issue only affected
Ubuntu 16.04 ESM, Ubuntu 18.04 ESM and Ubuntu 20.04 ESM. (CVE-2020-12625)
It was discovered that Roundcube Webmail incorrectly processed login and
logout POST requests. An attacker could possibly use this issue to launch a
cross-site request forgery (CSRF) attack and force an authenticated user to be
logged out. This issue only affected Ubuntu 16.04 ESM, Ubuntu 18.04 ESM and
Ubuntu 20.04 ESM. (CVE-2020-12626)
It was discovered that Roundcube Webmail incorrectly processed new plugin names
in rcube_plugin_api.php. An attacker could po
GHSA
GHSA-5fmq-jmc8-85rw: Roundcube before 1
ghsa_unreviewed·2022-05-24
CVE-2021-44026 [CRITICAL] CWE-89 GHSA-5fmq-jmc8-85rw: Roundcube before 1
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
OSV
CVE-2021-44026: Roundcube before 1
osv·2021-11-19·CVSS 9.8
CVE-2021-44026 [CRITICAL] CVE-2021-44026: Roundcube before 1
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.
VulnCheck
Roundcube Webmail SQL Injection Vulnerability
vulncheck·2021·CVSS 9.8
CVE-2021-44026 [CRITICAL] CWE-89 Roundcube Webmail SQL Injection Vulnerability
Roundcube Webmail SQL Injection Vulnerability
Roundcube Webmail is vulnerable to SQL injection via search or search_params.
Affected: Roundcube Roundcube Webmail
Required Action: Apply updates per vendor instructions.
Exploitation References: https://cert.gov.ua/article/4905829; https://go.recordedfuture.com/hubfs/reports/cta-2023-0620.pdf; https://www.recordedfuture.com/bluedelta-exploits-ukrainian-government-roundcube-mail-servers; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://redalert.nshc.net/blog/; https://redalert.nshc.net/2024/07/29/2023-activities-summary-of-sectorc-groups-jpn/; https://www.maverits.com/post/apt28-the-long-hand-of-russian-interests; https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a; https://www.lo
No detection rules found.
No public exploits indexed.
Bleepingcomputer
Hacker steals 1 million Cock.li user records in webmail data breach
blogs_bleepingcomputer·2025-06-17
Hacker steals 1 million Cock.li user records in webmail data breach
## Hacker steals 1 million Cock.li user records in webmail data breach
## Bill Toulas
Email hosting provider Cock.li has confirmed it suffered a data breach after threat actors exploited flaws in its now-retired Roundcube webmail platform to steal over a million user records.
The incident exposed all users who had logged in to the mail service since 2016, estimated at 1,023,800 people, along with contact entries for an additional 93,000 users.
Cock.li is a Germany-based free email hosting provider with a privacy-focused ethos and lax moderation policies, run by a single operator known as 'Vincent Canfield' since 2013.
It is promoted as an alternative to mainstream email providers, supporting standard security protocols like SMTP, IMAP, and TLS.
Cock.li is used by people who distrust
Bleepingcomputer
Russian hackers breach orgs to track aid routes to Ukraine
blogs_bleepingcomputer·2025-05-21·CVSS 9.8
[CRITICAL] Russian hackers breach orgs to track aid routes to Ukraine
## Russian hackers breach orgs to track aid routes to Ukraine
## Ionut Ilascu
A Russian state-sponsored cyberespionage campaign attributed to APT28 (Fancy Bear/Forest Blizzard) hackers has been targeting and compromising international organizations since 2022 to disrupt aid efforts to Ukraine.
The hackers targeted entities in the defense, transportation, IT services, air traffic, and maritime sectors in 12 European countries and the United States.
Additionally, the hackers have been tracking the movement of materials into Ukraine by compromising access to private cameras installed in key locations (e.g. border crossings, military installations, rail stations).
A joint advisory from 21 intelligence and cybersecurity agencies in nearly a dozen countries shares the tactics, techniques, a
Securelist
Advanced threat predictions for 2024
blogs_securelist·2023-11-14
Advanced threat predictions for 2024
Table of Contents
A review of last year’s predictions
1. The rise of destructive attacks
2. Mail servers become priority targets
3. The next WannaCry
4. APT targeting turns toward satellite technologies, producers and operators
5. Hack-and-leak is the new black (and bleak)
6. More APT groups will move from Cobalt Strike to other alternatives
7. SIGINT-delivered malware
8. Drone hacking!
APT predictions for 2024
The rise of creative exploits for mobile, wearables and smart devices
Building new botnets with consumer and corporate software and appliances
Barriers to kernel-level code execution increasingly evaded (kernel rootkits hot again)
Growth in cyberattacks by state-sponsored actors
Hacktivism in cyber-warfare: the new normal in geopolitical conflicts
Supply chain attack
Securelist
Kaspersky Security Bulletin: APT predictions 2024
blogs_securelist·2023-11-14
Kaspersky Security Bulletin: APT predictions 2024
Table of Contents
- A review of last year’s predictions
- APT predictions for 2024
Authors
- GReAT
Advanced persistent threats (APTs) are the most dangerous threats, as they employ complex tools and techniques, and often are highly targeted and hard to detect. Amid the global crisis and escalating geopolitical confrontations, these sophisticated cyberattacks are even more dangerous, as there is often more at stake.
At Kaspersky’s Global Research and Analysis Team (GReAT), we monitor a number of APT groups, analyze trends and try to anticipate their future developments to keep ahead of the evolving threat landscape and keep our customers safe. In this article, we will review the past year’s trends to see which of our 2023 predictions have come true, and try to predict what is to come i
Bleepingcomputer
France says Russian state hackers breached numerous critical networks
blogs_bleepingcomputer·2023-10-26·CVSS 9.8
CVE-2023-38831 [CRITICAL] France says Russian state hackers breached numerous critical networks
## France says Russian state hackers breached numerous critical networks
## Bill Toulas
The Russian APT28 hacking group (aka 'Strontium' or 'Fancy Bear') has been targeting government entities, businesses, universities, research institutes, and think tanks in France since the second half of 2021.
The threat group, which is considered part of Russia's military intelligence service GRU, was recently linked to the exploitation of CVE-2023-38831 , a remote code execution vulnerability in WinRAR, and CVE-2023-23397 , a zero-day privilege elevation flaw in Microsoft Outlook.
The Russian hackers have been compromising peripheral devices on critical networks of French organizations and moving away from utilizing backdoors to evade detection.
This is according to a newly published report from
Recorded Future
BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities
blogs_recorded_future·CVSS 9.8
[CRITICAL] BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities
# BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities
Recorded Future's Insikt Group, in partnership with Ukraine's Computer Emergency Response Team (CERT-UA), has uncovered a campaign targeting high-profile entities in Ukraine that was cross-correlated with a spearphishing campaign uncovered by Recorded Future’s Network Traffic Intelligence. The campaign leveraged news about Russia’s war against Ukraine to encourage recipients to open emails, which immediately compromised vulnerable Roundcube servers (an open-source webmail software), using CVE-2020-35730, without engaging with the attachment. We found that the campaign overlaps with historic BlueDelta activity exploiting the Microsoft Outlook zero-day vulnerability CVE-2023-23397 in 2022.
The
Recorded Future
BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities | Recorded Future
blogs_recorded_future·CVSS 9.8
[CRITICAL] BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities | Recorded Future
## BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities
Recorded Future's Insikt Group, in partnership with Ukraine's Computer Emergency Response Team (CERT-UA), has uncovered a campaign targeting high-profile entities in Ukraine that was cross-correlated with a spearphishing campaign uncovered by Recorded Future’s Network Traffic Intelligence. The campaign leveraged news about Russia’s war against Ukraine to encourage recipients to open emails, which immediately compromised vulnerable Roundcube servers (an open-source webmail software), using CVE-2020-35730 , without engaging with the attachment. We found that the campaign overlaps with historic BlueDelta activity exploiting the Microsoft Outlook zero-day vulnerability CVE-2023-23397 in 2022.
Th
https://bugs.debian.org/1000156https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfahttps://lists.debian.org/debian-lts-announce/2021/12/msg00004.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NDVGIZMQJ5IOM47Y3SAAJRN5VPANKTKO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TP3Y5RXTUUOUODNG7HFEKWYNIPIT2NL4/https://www.debian.org/security/2021/dsa-5013https://bugs.debian.org/1000156https://github.com/roundcube/roundcubemail/commit/c8947ecb762d9e89c2091bda28d49002817263f1https://github.com/roundcube/roundcubemail/commit/ee809bde2dcaa04857a919397808a7296681dcfahttps://lists.debian.org/debian-lts-announce/2021/12/msg00004.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NDVGIZMQJ5IOM47Y3SAAJRN5VPANKTKO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TP3Y5RXTUUOUODNG7HFEKWYNIPIT2NL4/https://www.debian.org/security/2021/dsa-5013https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-44026
2021-11-19
Published
2023-06-22
Added to CISA KEV
Exploited in the wild