Roundcube Community Forum

 

Security concerns - Uncovering an APT28 Roundcube Toolkit

Started by dutterman, March 18, 2026, 12:39:34 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

dutterman

March 18, 2026, 12:39:34 PM
Hello,

I'm running RC since probably a decade and really happy with the UI. But I wonder what I can do to increase security.
After reading: https://hunt.io/blog/operation-roundish-apt28-roundcube-exploitation it seems that even using the 2-factor authentication plugin, the webapp is vulnerable to exploits.

Is there any guidance on how to increase security to mitigate these risks?

JohnDoh

#1
Today at 02:38:53 AM
Based on the info in that article I'm not sure why you think 2FA would not help. A properly implemented MFA plugin will increase security but only to Roundcube login, if you use other IMAP clients then those would need their own solutions. For things like brute force login attempts you can also use tools like Fail2Ban.

The article is not about login attack though but instead about a CSS exploit which can then be used to get creds stored in a browser. Using browser creds stores is notoriously unsafe.

The article does not give the CVE id for the specific exploit but the devs do patch security issues when they are discovered (for example the changelog for 1.6.13 mentions "Fix CSS injection vulnerability reported by CERT Polska") and we don't know what version of Roundcube the people who wrote the article were using.

Like any wab app the best you can do is make sure you have it setup properly, the permissions are correct and apply security updates when they come out.
Roundcube Plugins: Contextmenu, SpamAssassin Prefs, and more...

fyre1212

#2
Today at 04:06:05 AM
You're absolutely right to be concerned—Roundcube has had multiple real-world exploits over the years, including XSS and even remote code execution vulnerabilities that were actively used by groups like APT28.

Even with 2FA, the core issue is that many of these attacks happen after authentication (or via malicious emails), so hardening the whole stack is key—not just login security.

A few practical things that usually help:

Always stay fully updated (patching is critical—some recent bugs were actively exploited within days)

Put Roundcube behind a VPN or restrict access by IP if possible

Use a WAF and proper CSP headers to reduce XSS risk

Disable or strictly filter risky content (like SVG/HTML emails)

Monitor logs for unusual activity and limit privileges on the server

Also worth noting: webmail in a browser is inherently harder to secure than thick clients because of how HTML email works.

If you're digging deeper into security practices and mitigation strategies, you might also find this helpful: UNICCM

Curious what others here are doing—especially anyone running Roundcube in a more hardened setup 👀
Print
Go Up Pages1
User actions