CVE-2020-12641 — Roundcube Webmail Remote Code Execution Vulnerability

CVE-2020-12641

Roundcube Webmail — RCE via Shell Metacharacters in ImageMagick Path Configuration

What is Roundcube Webmail?

Roundcube is one of the most widely deployed open-source webmail clients in the world, used by millions of users across governments, universities, managed email providers, and enterprises. Unlike SaaS email platforms, Roundcube is self-hosted — organizations install it on their own mail servers, often internet-accessible for remote email access. Its prevalence in government and diplomatic environments has made it a recurring target for state-sponsored espionage actors seeking to intercept email communications.

Overview

CVE-2020-12641 is an OS command injection vulnerability (CWE-78) in Roundcube Webmail that arises from the way Roundcube invokes ImageMagick for image processing. When Roundcube's configuration specifies paths to the im_convert_path or im_identify_path ImageMagick binaries, these paths are passed directly to shell execution. An attacker who can influence these configuration settings — through a malicious configuration import or a plugin with write access to Roundcube's configuration — can inject shell metacharacters to execute arbitrary OS commands.

The vulnerability was patched in April 2020 but added to CISA's KEV catalog in June 2023, reflecting confirmed exploitation against government email servers — consistent with state-sponsored actors' pattern of targeting Roundcube deployments.

Affected Versions

Roundcube Version Vulnerable Fixed
1.4.x < 1.4.4 1.4.4
1.3.x < 1.3.11 1.3.11
1.2.x < 1.2.10 1.2.10

Technical Details

Roundcube uses ImageMagick for processing image attachments. The paths to the ImageMagick convert and identify binaries are stored in Roundcube's configuration file as im_convert_path and im_identify_path. When these values are used to construct shell commands for image processing, they are not properly escaped or validated.

If an attacker can set these configuration values to strings containing shell metacharacters — for example:

/usr/bin/convert; malicious-command; echo

— the injected commands execute with the privileges of the web server process (typically www-data or equivalent) when any image is processed.

The attack surface: Roundcube's plugin system and configuration import functionality (accessible to admins) can modify these settings. State-sponsored actors have used phishing emails containing images or attached files to trigger the image processing code path, turning any email delivery into a potential RCE trigger on unpatched servers.

Discovery

The vulnerability was discovered and responsibly disclosed to the Roundcube team, who patched it in the April 29, 2020 security releases. CISA added it to KEV in June 2023 following confirmed exploitation of Roundcube installations — attributed by ESET and other researchers to Russian APT (Winter Vivern / TA473) targeting European government and NATO-affiliated email servers.

Exploitation Context

CISA added CVE-2020-12641 to the KEV catalog on June 22, 2023 — three years after the patch — because exploitation against unpatched government Roundcube instances was still being observed. Russian threat actor Winter Vivern (TA473) has been specifically attributed to exploiting Roundcube vulnerabilities (including this and related CVEs) against European government, military, and NGO email infrastructure throughout 2022–2023.

The long gap between patch (2020) and KEV addition (2023) reflects the large installed base of unpatched Roundcube deployments, particularly in government IT environments with slow patch cycles.

Remediation

  1. Upgrade Roundcube: Update to version 1.4.4+, 1.3.11+, or 1.2.10+ (or the latest stable release).
  2. Restrict configuration write access: Ensure only system administrators can modify Roundcube's config/config.inc.php — web server processes should not have write access to configuration files.
  3. Harden the im_convert_path setting: Verify this setting contains only the expected ImageMagick binary path, with no shell metacharacters.
  4. Disable image processing if not needed: If image processing is not required, set $config['im_convert_path'] to an empty string in the Roundcube config.
  5. Review mail server logs: Look for unusual process spawning from the web server process, or unexpected outbound connections from the mail server host.

Key Details

PropertyValue
CVE ID CVE-2020-12641
Vendor / Product Roundcube — Roundcube Webmail
NVD Published2020-05-04
NVD Last Modified2025-11-04
CVSS 3.1 Score9.8
CVSS 3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SeverityCRITICAL
CWE CWE-78 find similar ↗
CISA KEV Added2023-06-22
CISA KEV Deadline2023-07-13
Known Ransomware Use No

CVSS 3.1 Breakdown

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Required Action

CISA BOD 22-01 Deadline: 2023-07-13. Apply updates per vendor instructions.

Timeline

DateEvent
2020-04-29Roundcube releases security updates 1.4.4, 1.3.11, 1.2.10
2020-05-04CVE-2020-12641 published
2023-06-22Added to CISA Known Exploited Vulnerabilities catalog
2023-07-13CISA BOD 22-01 remediation deadline

References

ResourceType
Roundcube Security Updates 1.4.4 / 1.3.11 / 1.2.10 Vendor Advisory
NVD — CVE-2020-12641 Vulnerability Database
CISA KEV Catalog Entry US Government