Skip to content
Security & Trust

China-Aligned Hackers Chained Two Roundcube Flaws Against University Webmail. Both Were Patched Over a Year Ago.

A suspected China-aligned campaign chained an XSS flaw patched in August 2024 with an RCE patched in mid-2025 to compromise physics and engineering departments at U.S. and Canadian universities. The gap is not disclosure — it is deployment.

· 5 min read
Share on X LinkedIn
China-Aligned Hackers Chained Two Roundcube Flaws Against University Webmail. Both Were Patched Over a Year Ago.

Two Patched Flaws, One Attack Chain

A suspected China-aligned threat activity cluster, tracked by Proofpoint as UNK_MassTraction and first detected in May 2026, has been exploiting Roundcube webmail software to reach physics and engineering departments at universities in the United States and Canada. The campaign chains two already-patched vulnerabilities: CVE-2024-42009, a cross-site scripting flaw patched in August 2024, serves as the initial access vector through phishing. CVE-2025-49113, a PHP object deserialization bug patched in mid-2025, provides remote code execution for persistence. Neither is a zero-day. Both had patches available for over a year before this campaign was detected.

Patched August 2024 — exploited May 2026 (21 months)
CVE-2024-42009 (initial access, XSS)
Source: The Hacker News / Proofpoint UNK_MassTraction campaign tracking
Patched mid-2025 — CISA KEV added February 2026
CVE-2025-49113 (persistence, RCE)
Source: CISA Known Exploited Vulnerabilities Catalog

Why Physics and Engineering Departments

University IT is rarely centralized the way a corporate network is. Individual departments and labs commonly run their own mail infrastructure, on their own patch schedule, outside the reach of a central security team. Physics and engineering departments carry pre-publication research data, federally funded grant material, and in some cases export-controlled technical information — assets attractive to a state-aligned actor independent of any revenue motive.

The deployment model is the exposure. Roundcube is actively maintained software with a current release cadence — grouping it as 'legacy' would be inaccurate. What makes it vulnerable in this context is how it is deployed: self-hosted, department-managed, patched on a best-effort basis by teams whose primary mission is research, not operations. The XSS flaw used for initial access was patched 21 months before this campaign was detected. The gap is not in the software's maintenance. It is in the distance between the maintainer shipping a fix and a university department applying it.

The Self-Hosted Patching Problem

CISA added CVE-2025-49113 to its Known Exploited Vulnerabilities catalog in February 2026 — roughly seven months after the patch was available, and months before this university campaign was detected. Even CISA's own cataloging lagged the fix by more than half a year. For federal civilian agencies subject to BOD 22-01, a KEV listing triggers mandatory remediation deadlines. For universities, it is advisory at best. The catalog now carries 1,635 entries. Self-hosted web software recurs in it because the patching obligation falls on the deployer, and deployers in decentralized organizations have no forcing function to act.

1,635
CISA KEV catalog entries
Source: CISA Known Exploited Vulnerabilities Catalog (July 7, 2026)

What the Timeline Shows

The reported campaign is specific and bounded: a suspected China-aligned cluster targeting research universities running Roundcube instances that were never updated after public fixes shipped. It does not describe a broader compromise of email software generally, and no evidence in the current reporting extends this pattern beyond the physics and engineering departments named.

What the timeline does show is the interval between patch availability and patch adoption in decentralized academic IT — and that interval is where this campaign operated. A 21-month gap between the initial-access vulnerability's patch and its exploitation is not a failure of the software vendor. It is a failure of the deployment model. The fix existed. The mechanism to ensure it reached every self-hosted instance did not.

CVEs in this analysis
CVE-2025-49113 CVE-2024-42009
Share this insight