The pro-Russian and Belarusian hacker group Winter Vivern exploits a zero-day vulnerability in common webmail software in attacks on government agencies and think tanks in Europe. This was stated by researchers at ESET, a security company, according to Ars Technica.

The previously unknown vulnerability has the identifier CVE-2023-5631 and is the result of a critical cross-site scripting error in Roundcube. This is an email and web interface client written in PHP with JavaScript, CSS, HTML, and AJAX technology. Roundcube versions 1.6.x before 1.6.4, 1.5.x before 1.5.5, and 1.4.x before 1.4.15 are affected.

Winter Vivern members exploited a bug to install JavaScript code in Roundcube. To do this, the hackers sent an email from the address [email protected]. Clicking on a malicious email caused the server to send emails from the selected targets to a server controlled by the attackers.


According to ESET, the attacks began on October 11, and Roundcube released a patch on October 14.

Winter Vivern has been active since at least 2020 and targets governments and think tanks, primarily in Europe and Central Asia. In March, the group was seen targeting U.S. government officials who had expressed support for Ukraine in its efforts to repel the Russian invasion.