Weaponizing XSS: Cyberespionage tactics in webmail exploitation
Matthieu Faou
NorthSec 2025 · Day 1 · Salle de bal
ESET Senior Malware Researcher Matthieu Faou presented two years of research into XSS exploitation in on-premises webmail applications — Roundcube, MDaemon, Zimbra, and Horde. The research identified two zero-day vulnerabilities (CVE-2023-5631 in Roundcube, CVE-2024-11182 in MDaemon), multiple N-day exploits used in the wild, and detailed JavaScript payload analysis across three state-sponsored cyberespionage groups: Russia-aligned Sednit (APT28) and GreenCube, and Belarus-aligned Winter Vivern. The talk provides a practical map of how regex- and deny-list-based HTML sanitizers fail against parser confusion attacks and whitespace tricks. ---
AI review
ESET's Matthieu Faou presents two years of research into XSS exploitation in on-premises webmail (Roundcube, MDaemon, Zimbra, Horde), including two zero-days he discovered (CVE-2023-5631, CVE-2024-11182) and operational analysis of three state-sponsored cyberespionage groups exploiting these applications: Russia-aligned Sednit (APT28) targeting Ukrainian defense in Operation RoundPress, Belarus-aligned Winter Vivern targeting European diplomats, and GreenCube. Includes parser confusion attack class analysis, sanitizer bypass mechanics, and practical defensive guidance.