Kremlin-Backed Group Exploits XSS Vulnerabilities

a { color: #880000 !important; background: #ffeeee !important; } Latest News from NourishThe Nourish Mission (formerly OneSub)Get answers to today's big questionsKremlin-Backed Group Exploits XSS VulnerabilitiesSecurity > CybersecurityOn May 15, 2025, ESET reported that the Kremlin-backed hacking group Sednit exploited cross-site scripting (XSS) vulnerabilities in mail server software to access high-value email accounts. The attacks targeted defense contractors in Bulgaria and Romania, as well as governmental organizations in those countries.

What's happened

On May 15, 2025, ESET reported that the Kremlin-backed hacking group Sednit exploited cross-site scripting (XSS) vulnerabilities in mail server software to access high-value email accounts. The attacks targeted defense contractors in Bulgaria and Romania, as well as governmental organizations in those countries.

What's behind the headline?

Key Insights

Targeted Exploits: Sednit's operation, named RoundPress, specifically targeted defense contractors in Eastern Europe, indicating a strategic focus on military-related information.
Vulnerability Exploitation: The group utilized XSS vulnerabilities in multiple mail server platforms, showcasing the ongoing risks associated with outdated or unpatched software.
Phishing Tactics: The use of spear-phishing emails to deliver XSS exploits highlights the importance of user awareness and training in cybersecurity.
Geopolitical Implications: The targeting of defense contractors in Bulgaria and Romania suggests a broader geopolitical strategy, potentially aimed at undermining military support for Ukraine amidst ongoing conflict with Russia.
Future Risks: As XSS vulnerabilities continue to be exploited, organizations must prioritize security updates and employee training to mitigate risks associated with phishing and other cyber threats.

What the papers say

According to Ars Technica, ESET reported that Sednit exploited vulnerabilities in mail server software from four different makers, including Roundcube and MDaemon. The report highlights that the group has targeted not only defense contractors but also governmental organizations in Bulgaria and Romania. TechCrunch emphasizes the importance of user awareness in preventing such attacks, noting that phishing tactics remain a prevalent threat. The ongoing exploitation of XSS vulnerabilities underscores the need for organizations to maintain updated security protocols and educate employees about potential risks.

How we got here

Cross-site scripting (XSS) vulnerabilities have been a concern since 2005, with notable exploits like the Samy Worm. Recent reports indicate that Sednit has been actively exploiting these vulnerabilities in various mail server software, including Roundcube and MDaemon, to gain unauthorized access to sensitive information.

Go deeper

What are XSS vulnerabilities?
How can organizations protect against phishing?
What is the significance of Sednit's attacks?