What happened

CISA added CVE-2024-42009 to the Known Exploited Vulnerabilities (KEV) catalog on 2025-06-09, confirming in-the-wild exploitation and setting a federal remediation clock CISA KEV catalog. The issue is a cross-site scripting (CWE-79) flaw in Roundcube Webmail that is triggered by a crafted email, enabling attacker-controlled JavaScript to run in the victim’s browser session NVD entry. The CVE description explicitly notes that an attacker can steal and send emails of the victim by abusing a desanitization issue during message display NVD entry. The vulnerability is tracked as CWE-79 and is recorded by MITRE under CVE-2024-42009 MITRE CVE record.

Per the KEV entry’s standard directive, federal agencies must apply mitigations per vendor instructions or discontinue use if mitigations are unavailable, with a due date of 2025-06-30 CISA KEV catalog.

Why it matters

Webmail directly renders untrusted content from email bodies, so a cross-site scripting path inside the message renderer is a straight line to mailbox exposure NVD entry. Because this CVE is on the KEV list, exploitation is not theoretical—CISA only lists vulnerabilities with evidence of active abuse CISA KEV catalog. Successful exploitation lets attackers read and transmit messages as the user, enabling silent exfiltration, forward-rule staging, and follow-on phishing from a trusted account NVD entry.

CWE-79 issues in user-content pipelines are notoriously abusable because they bypass network-layer controls and land code execution directly in the browser context MITRE CVE record. Here, the crafted email is the delivery vehicle, and the target is the webmail viewer itself NVD entry.

Technical detail

The flaw stems from a desanitization error in the message rendering path: specifically, the message_body() routine in program/actions/mail/show.php during email display NVD entry. When a maliciously crafted email is processed for viewing, unsafe content can slip past intended protections and execute as script in the victim’s browser NVD entry. Because this execution occurs within the authenticated Roundcube session, the payload inherits the user’s permissions to read mail and initiate send actions NVD entry.

The vulnerability is categorized under CWE-79 (Cross-Site Scripting), reflecting a failure to properly neutralize user-controlled input before rendering in a web page MITRE CVE record. Practically, the attacker’s JavaScript can harvest mailbox content and issue requests that result in outgoing emails, using the victim’s identity and session NVD entry. The essential precondition is delivery of a specially crafted email to a user of the Roundcube Webmail interface, after which viewing the message triggers the vulnerable rendering path NVD entry.

Defense

• Patch/mitigate immediately per vendor guidance. CISA’s KEV entry mandates remediation or discontinuation if a fix is unavailable and sets a due date for federal networks CISA KEV catalog.
• Treat potentially affected instances as compromised until proven otherwise. Because attackers can steal and send emails post-exploitation, investigate mailboxes for suspicious “Sent” items and unauthorized access patterns aligned with potential viewing of crafted messages NVD entry.
• Reset sessions and credentials for users who may have viewed suspect messages. Webmail XSS runs in the user’s authenticated context, enabling actions on their behalf—clear tokens and re-authenticate NVD entry.
• Prioritize monitoring for anomalous send actions originating from normal message-view workflows. Correlate message view events with bursts of outbound mail to new recipients—the behavior aligns with the CVE’s ability to send mail via injected script NVD entry.

For agencies subject to CISA directives, follow required actions and timelines in the KEV program, including BOD 22-01-aligned remediation for internet-exposed services CISA KEV catalog.

Lyrie Verdict

This is content-borne code execution inside the user’s mailbox UI: a crafted email triggers script during rendering and can immediately read and transmit messages NVD entry. It’s already in KEV, so adversaries are operationalizing it now CISA KEV catalog. Defenders can’t rely on human review queues—the exploit fires at view-time. Lyrie’s stance: treat webmail renderers as high-risk execution surfaces and instrument autonomous detection at the moment content is processed. At machine speed, flag and block sequences like “message display” immediately followed by scripted mailbox enumeration or send actions characteristic of this CVE’s impact NVD entry. Autonomous controls neutralize rogue-AI-driven mail-borne scripts before they can pivot from read to exfiltrate-and-send.