A 6.1 read European government email for two years

A 6.1 is a number you put on the “we’ll get to it” list. CVE-2023-5631 was a 6.1, and Russian state-sponsored actors used it to silently read email out of governmental inboxes across Europe and out of Ukrainian government agencies. No one had to click anything. Opening the message was enough.

That’s the gap this post is about. The severity score told you one thing. The people exploiting the bug told you another. If you triage by CVSS alone, you got this one wrong, and the cost of getting it wrong was two-plus years of someone else reading mail you owned.

What the bugs actually do

There are two of them, both cross-site scripting, both scored Medium, both in CISA’s Known Exploited Vulnerabilities catalog.

CVE-2023-5631 lives in rcube_washtml.php, Roundcube’s HTML sanitizer. A crafted HTML email carries a malicious SVG document that the sanitizer waves through. The SVG’s onerror attribute fires an eval() on a base64-decoded JavaScript payload, which then calls out to an attacker server for more script. NIST scores it 5.4; the CNA and ESET score it 6.1. The difference is whether the attacker needs an existing account first. For webmail, where the attacker just sends a message to whatever address they want, the no-privileges-required reading (6.1) is the one that matches reality.

CVE-2023-43770 is simpler and somehow worse to read about. It’s in program/lib/Roundcube/rcube_string_replacer.php, and it triggers on a link in a plain-text email. Not an attachment, not an HTML payload. A link, in a text message, with angle brackets that don’t get sanitized before the page renders. Scored 6.1.

Neither bug requires the victim to do anything beyond open the email. The sanitizer is the control that’s supposed to stop exactly this, and in both cases it’s the thing that failed.

The part the score can’t hold

Here’s the timeline that matters more than the number. Winter Vivern, a Belarus/Russia-aligned group, started exploiting CVE-2023-5631 on October 11, 2023, according to ESET. That’s five days before the patch shipped on October 16 and seven days before the CVE was even formally issued. It was a zero-day against governmental entities and a think tank in Europe. The delivery was a spearphish impersonating the “Microsoft Accounts Team,” and the payload listed mail folders and exfiltrated messages. The victim opened a message; the attacker got the mailbox.

Then it scaled. APT28, the GRU-linked group also called Sednit and Fancy Bear, folded Roundcube into a broader campaign ESET named Operation RoundPress, expanding from Roundcube to Horde, MDaemon, and Zimbra and spreading across Eastern Europe, Africa, Europe, and South America. APT28 used CVE-2023-5631 in that campaign against Ukrainian government agencies and defense companies in Bulgaria and Romania. The injected JavaScript stole webmail credentials and lifted contacts and messages; the MDaemon-specific payload, SpyPress.MDAEMON, even set up a 2FA bypass for MDaemon targets via a separate MDaemon zero-day, CVE-2024-11182.

A 6.1 against a test mailbox is a 6.1. A 6.1 against a government agency sitting on active files is not a 6.1 in any sense an operator cares about. CVSS scores the mechanics: network-reachable, no privileges, user opens the email, confidentiality impact “Low” because the script only reaches what the session already reaches. It cannot score whose session it is. That’s the whole problem with reading severity off a single number. The number describes the lock. It says nothing about what’s behind the door.

Worth being precise: Winter Vivern and APT28 are distinct groups. They’re not the same operation. They independently weaponized the same Roundcube bug, which is its own signal. When two separate state-aligned crews reach for the same Medium-severity XSS, the Medium label is doing you a disservice.

Why the score and the urgency keep drifting apart

CVSS measures the vulnerability. Exploitation measures the attacker. Those are different questions, and triaging by the first one alone bakes in a blind spot for anything that’s cheap to exploit but devastating in the right inbox.

The KEV catalog is the corrective, and the timing tells the story. CISA added CVE-2023-5631 to KEV on October 26, 2023, eight days after it was published, with a remediation deadline of November 16. That speed is the signal. CISA doesn’t move that fast on something that’s genuinely a “we’ll get to it.”

CVE-2023-43770 is the other half of the lesson. A working proof-of-concept circulated for months before CISA added it to KEV on February 12, 2024, with a March 4 deadline. The patch had shipped September 15, 2023. So the gap between “public exploit code exists” and “federal hard deadline” was about five months. If you were waiting for the KEV listing to tell you to patch, you waited a season longer than the exploit did.

What this means for your Roundcube boxes

Roundcube is, by Nextcloud’s framing, the most popular on-premise webmail there is. Government agencies, universities, ISPs, hospitals, and defense contractors run it precisely because it’s self-hosted and the mail stays on infrastructure they control. That sovereignty has a bill: you own the entire patching lifecycle. No SaaS vendor quietly updates the instance for you. Sensitive communications plus manual patching plus broad install base is the exact recipe that makes a webmail server worth weaponizing at scale.

If you run Roundcube, the actions are short.

• For CVE-2023-43770, you need 1.6.3, 1.5.4, or 1.4.14, shipped September 15, 2023.
• For CVE-2023-5631, you need 1.6.4, 1.5.5, or 1.4.15, shipped October 16, 2023.

Anything older than those has been exposed for over two years. Both KEV deadlines are long past.

One exposure note that changes the math: don’t assume an internal-only Roundcube is safe. The attack surface is the browser session, and the payload arrives inside an email, so the server doesn’t need to face the internet for the bug to fire. Restrict admin interfaces to internal networks, enforce CSP headers, and patch Roundcube on the same cadence you patch your perimeter gear, because operationally it is perimeter gear.

The lesson isn’t “Roundcube is bad software.” Sanitizers are hard and they fail. The lesson is that a severity score is a starting point, not a verdict, and the fastest way to learn which Mediums are actually Highs is to watch who’s exploiting them and how quickly CISA reacts. That’s the read we do every day in the newsletter: which “Medium” jumped the queue this week, and what you actually have to do about it.

A 6.1 read European government email for two years. The number was never the story.

Sources

• CVE-2023-5631 Detail — NVD — 2023-10-18
• CVE-2023-43770 Detail — NVD — 2023-09-22
• Winter Vivern exploits zero-day vulnerability in Roundcube Webmail servers — ESET WeLiveSecurity — 2023-10-25
• ESET Research uncovers Operation RoundPress — ESET Newsroom — 2025-05-20
• Russia-Linked APT28 Exploited MDaemon Zero-Day to Hack Government Webmail Servers — The Hacker News — 2025-05-15
• Roundcube webmail XSS vulnerability exploited by attackers (CVE-2023-43770) — Help Net Security — 2024-02-13
• Introducing enterprise support for Roundcube — Nextcloud / Roundcube — 2024-08-08