// 1 CRITICAL · 2 ZERO-DAY · 7 CVE · 5 EXPLOIT · 1 ADVISORY IN THE LAST 24H
A suspected Chinese espionage cluster has compromised fewer than ten US and Canadian universities using a two-vulnerability chain in Roundcube webmail. First observed in May 2026, the campaign remains active and flips the traditional email threat model: instead of targeting end users, the email delivers an exploit chain to seize the mail server itself.

A suspected China-aligned espionage group has compromised fewer than ten US and Canadian universities by exploiting a chain of two critical vulnerabilities in Roundcube. The campaign, first observed in May 2026, is believed to be ongoing. The tactical novelty lies in inverting the classic paradigm: email is no longer the vector to hit the end user, but the weapon to conquer the mail server.

Key Takeaways
  • Fewer than ten universities identified as confirmed victims, with an estimate of several dozen potentially impacted.
  • Exploit chain: CVE-2024-42009 (XSS) for JavaScript execution in the browser, followed by CVE-2025-49113 (RCE via PHP Object Deserialization) for mail server control.
  • Specific targets: physics and engineering departments, focusing on administrators and professors with ties to national security or affiliated with research organizations in astrophysics and particle physics.
  • Both vulnerabilities are listed in the CISA Known Exploited Vulnerabilities catalog; patches have been available for some time, yet the campaign continues.

The Exploit Chain That Inverts the Attack Flow

The chain begins with CVE-2024-42009, a cross-site scripting vulnerability with a CVSS 3.1 base score of 9.6 according to the NVD record. The flaw, present in Roundcube through version 1.5.7 and in the 1.6.x branch through 1.6.7, allows a remote attacker to steal and send the victim's email through a specially crafted message that exploits a desanitization issue in the message_body() function.

This first step is the bridge to the second: CVE-2025-49113, a remote code execution vulnerability with a CVSS 3.1 base score of 8.8 per the NVD record. The flaw resides in the unvalidated _from parameter in program/actions/settings/upload.php, leading to PHP object deserialization. Affected versions are Roundcube prior to 1.5.10 and 1.6.x prior to 1.6.11.

The combination is surgical. The XSS in the victim's browser paves the way for RCE on the server. No suspicious link click or credential entry is required: simply opening an email with a generic lure sent in bulk is enough. Greg Lesnewich, principal threat researcher at Proofpoint, described the campaign in precise terms: "This campaign flips that on its head, using email to deliver an exploit chain to compromise a mail server, instead of using email to deliver a credential harvesting URL or malware to target an end user, not a server".

Academic Targeting: Physics, Engineering, and National Security

Confirmed victims number fewer than ten universities, but Proofpoint estimates that several dozen may have been reached. The targeting is not random: physics and engineering departments are at the center, particularly administrators and professors with connections to national security or affiliated with organizations studying astrophysics and particle physics.

This profiling suggests an interest in frontier scientific research, not administrative or financial data. The dossier does not specify the precise motivation, but the pattern is consistent with technology espionage campaigns conducted by Chinese actors against research institutions. Proofpoint tracks the cluster as UNK_MassTraction: a label indicating a collection of activity not yet attributable to a named group with certainty.

Attribution to a China-aligned actor rests on three concrete elements: use of a covert network known and used by multiple Chinese groups, an infection chain leading to VShell, and Chinese-language artifacts in the phishing emails. None of these overlaps, alone, enables identification of the specific operator.

Post-Exploitation and Visibility Limits

Following initial compromise, the dossier documents the installation of webshells and backdoors for persistent access. Proofpoint, however, lacks visibility into the data actually exfiltrated. As Lesnewich stated: "We do not have data to suggest what got stolen, as we only observe the initial inbound email attempt". This limit is structural: the researcher sees the entry, not the exit.

"There is a high likelihood that many victims have not been made aware of this activity yet"

This observation, also from Lesnewich, illuminates the operational landscape. The CVEs are known, patches exist, yet the campaign continues. The gap between public vulnerabilities and actual patch deployment is the breeding ground for this attack.

Why This Matters

The brief does not document specific remedial measures recommended by the source. The dossier does not specify whether victims had applied available patches at the time of the attack, nor does it provide operational guidance for detection or response. The source does not list verification controls, detection tools, or recommended hardening procedures.

The campaign's relevance lies in two elements. The first is tactical: the inversion of the traditional flow, where email becomes a vector for the server rather than the user, expands the attack surface of institutions that still perceive email as an endpoint problem. The second is strategic: universities with STEM departments remain active targets of Chinese actors, and the protection of scientific research has become a national security dimension.

The source does not specify whether other nations or sectors were hit by the same campaign. No infrastructure overlaps emerge linking UNK_MassTraction to named Chinese clusters. The motive behind the physics-engineering targeting remains an espionage hypothesis: the dossier does not confirm it textually.

Information is based on the cited advisory and current as of publication.

Sources

Information is based on the cited source and current as of publication.

Sources


Sources and references
  1. cyberscoop.com
  2. unit42.paloaltonetworks.com
  3. securityweek.com
  4. research.checkpoint.com
  5. nvd.nist.gov