cbcvebase.
CVE-2021-44026
published 2021-11-19

CVE-2021-44026: Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2023-07-13
Exploited in the wild
EPSS
42.91%
98.6th percentile
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search_params.

Affected

8 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianroundcube< roundcube 1.5.0+dfsg.1-1 (bookworm)roundcube 1.5.0+dfsg.1-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
roundcubewebmail< 1.3.171.3.17
roundcubewebmail>= 1.4.0 < 1.4.121.4.12

Detection & IOCsextracted from sources · hover to see the quote

domainaneria[.]net
domainarmpress[.]net
domainceriossl[.]info
domainglobal-news-world[.]com
domainglobal-world-news[.]net
domainglobalnewsnew[.]com
domaininfocentre[.]icu
domainmai1[.]namenews[.]info
domainnewsnew[.]info
domainrunstatistics[.]net
domainsourcescdn[.]net
domainstarvars[.]top
ip46.183.219[.]207
ip77.243.181[.]238
ip144.76.69[.]94
ip46.183.219[.]232
ip45.138.87[.]250
ip144.76.7[.]190
ip77.243.181[.]10
ip5.199.162[.]132
ip185.210.217[.]218
ip144.76.184[.]94
ip162.55.241[.]4
ip185.195.236[.]230
otherukraine_news@meta[.]ua
  • Exploit delivered via spearphishing email attachment containing JavaScript code that executes additional JavaScript payloads from attacker-controlled infrastructure, exploiting CVE-2021-44026 (SQL injection via search/search_params) in Roundcube
  • Post-exploitation activity includes redirecting incoming emails to attacker-controlled addresses and harvesting session cookies, user information, and address books from Roundcube
  • CVE-2021-44026 exploited as SQL injection via Roundcube search or search_params parameter; monitor for anomalous SQL-like patterns in Roundcube search requests
  • CVE-2021-44026 was used in a confirmed data breach to exfiltrate over one million user records from a Roundcube deployment; monitor for large-scale unauthorized database reads via Roundcube
  • APT28/BlueDelta used CVE-2021-44026 alongside CVE-2020-12641 and CVE-2020-35730 in chained Roundcube exploitation; detection of any one should prompt investigation for the others
  • Sender email address ukraine_news@meta[.]ua used as a lure in spearphishing campaigns exploiting CVE-2021-44026; flag inbound emails from this address
  • ·CVE-2021-44026 affects Roundcube versions before 1.3.17 and 1.4.x before 1.4.12; patched versions are not vulnerable to this SQL injection vector
  • ·IP address observability windows are time-bounded; infrastructure may have rotated — treat older IPs (pre-2022) with lower confidence for current blocking

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.