What is Roundcube Webmail?
Roundcube is one of the most widely deployed open-source webmail clients in the world, used by millions of users across governments, universities, managed email providers, and enterprises. Unlike SaaS email platforms, Roundcube is self-hosted — organizations install it on their own mail servers, often internet-accessible for remote email access. Its prevalence in government and diplomatic environments has made it a recurring target for state-sponsored espionage actors seeking to intercept email communications.
Overview
CVE-2020-12641 is an OS command injection vulnerability (CWE-78) in Roundcube Webmail that arises from the way Roundcube invokes ImageMagick for image processing. When Roundcube's configuration specifies paths to the im_convert_path or im_identify_path ImageMagick binaries, these paths are passed directly to shell execution. An attacker who can influence these configuration settings — through a malicious configuration import or a plugin with write access to Roundcube's configuration — can inject shell metacharacters to execute arbitrary OS commands.
The vulnerability was patched in April 2020 but added to CISA's KEV catalog in June 2023, reflecting confirmed exploitation against government email servers — consistent with state-sponsored actors' pattern of targeting Roundcube deployments.
Affected Versions
| Roundcube Version | Vulnerable | Fixed |
|---|---|---|
| 1.4.x | < 1.4.4 | 1.4.4 |
| 1.3.x | < 1.3.11 | 1.3.11 |
| 1.2.x | < 1.2.10 | 1.2.10 |
Technical Details
Roundcube uses ImageMagick for processing image attachments. The paths to the ImageMagick convert and identify binaries are stored in Roundcube's configuration file as im_convert_path and im_identify_path. When these values are used to construct shell commands for image processing, they are not properly escaped or validated.
If an attacker can set these configuration values to strings containing shell metacharacters — for example:
/usr/bin/convert; malicious-command; echo
— the injected commands execute with the privileges of the web server process (typically www-data or equivalent) when any image is processed.
The attack surface: Roundcube's plugin system and configuration import functionality (accessible to admins) can modify these settings. State-sponsored actors have used phishing emails containing images or attached files to trigger the image processing code path, turning any email delivery into a potential RCE trigger on unpatched servers.
Discovery
The vulnerability was discovered and responsibly disclosed to the Roundcube team, who patched it in the April 29, 2020 security releases. CISA added it to KEV in June 2023 following confirmed exploitation of Roundcube installations — attributed by ESET and other researchers to Russian APT (Winter Vivern / TA473) targeting European government and NATO-affiliated email servers.
Exploitation Context
CISA added CVE-2020-12641 to the KEV catalog on June 22, 2023 — three years after the patch — because exploitation against unpatched government Roundcube instances was still being observed. Russian threat actor Winter Vivern (TA473) has been specifically attributed to exploiting Roundcube vulnerabilities (including this and related CVEs) against European government, military, and NGO email infrastructure throughout 2022–2023.
The long gap between patch (2020) and KEV addition (2023) reflects the large installed base of unpatched Roundcube deployments, particularly in government IT environments with slow patch cycles.
Remediation
- Upgrade Roundcube: Update to version 1.4.4+, 1.3.11+, or 1.2.10+ (or the latest stable release).
- Restrict configuration write access: Ensure only system administrators can modify Roundcube's
config/config.inc.php— web server processes should not have write access to configuration files. - Harden the
im_convert_pathsetting: Verify this setting contains only the expected ImageMagick binary path, with no shell metacharacters. - Disable image processing if not needed: If image processing is not required, set
$config['im_convert_path']to an empty string in the Roundcube config. - Review mail server logs: Look for unusual process spawning from the web server process, or unexpected outbound connections from the mail server host.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2020-12641 |
| Vendor / Product | Roundcube — Roundcube Webmail |
| NVD Published | 2020-05-04 |
| NVD Last Modified | 2025-11-04 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-78 find similar ↗ |
| CISA KEV Added | 2023-06-22 |
| CISA KEV Deadline | 2023-07-13 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2020-04-29 | Roundcube releases security updates 1.4.4, 1.3.11, 1.2.10 |
| 2020-05-04 | CVE-2020-12641 published |
| 2023-06-22 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2023-07-13 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Roundcube Security Updates 1.4.4 / 1.3.11 / 1.2.10 | Vendor Advisory |
| NVD — CVE-2020-12641 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |