CVE-2020-12641

CRITICAL KEV NUCLEI

Roundcube Webmail < 1.4.4 - Remote Code Execution via Shell Metacharacters in Image Configuration

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-12641 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 22, 2023. EIP tracks 2 public exploits from researchers including mbadanoiu. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository describes a command injection bypass for CVE-2020-12641 in Roundcube Webmail, leveraging insufficient sanitization by the `escapeshellcmd` function. The bypass allows arbitrary command execution when a user opens an email with a non-standard image.

Description

rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

Exploits (2)

nomisec WRITEUP
by mbadanoiu · poc
https://github.com/mbadanoiu/MAL-004

This repository describes a command injection bypass for CVE-2020-12641 in Roundcube Webmail, leveraging insufficient sanitization by the `escapeshellcmd` function. The bypass allows arbitrary command execution when a user opens an email with a non-standard image.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Roundcube Webmail before 1.4.5, 1.3.12
Auth required
Prerequisites: Access to Roundcube Webmail installer component · A valid Roundcube user opening a malicious email
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP
by mbadanoiu · poc
https://github.com/mbadanoiu/CVE-2020-12641

This repository provides a writeup for CVE-2020-12641, a command injection vulnerability in Roundcube Webmail. The vulnerability allows an attacker with access to the Roundcube Installer to inject system commands via the '_im_convert_path' parameter, which execute when a user opens an email with a non-standard image.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Roundcube Webmail versions before 1.4.4, 1.3.11, and 1.2.10
Auth required
Prerequisites: Access to the Roundcube Webmail installer component · A Roundcube user opening an email with a non-standard image
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Roundcube Webmail - Command Injection
CRITICALVERIFIEDby domwhewell-sage
Shodan: http.component:"roundcube" || cpe:"cpe:2.3:a:roundcube:webmail"

References (8)

Core 8
Core References
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202007-41
Mailing List, Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00083.html

Scores

CVSS v3 9.8
EPSS 0.8446
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2023-06-22
VulnCheck KEV 2023-06-20
InTheWild.io 2023-06-22
ENISA EUVD EUVD-2020-4942
CWE
CWE-78
Status published
Products (4)
opensuse/backports_sle 15.0 sp1 (2 CPE variants)
opensuse/leap 15.1
opensuse/leap 15.2
roundcube/webmail 1.2.0 - 1.2.10
Published May 04, 2020
KEV Added Jun 22, 2023
Tracked Since Feb 18, 2026