Cyber Resilience

CVE-2020-12641

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRCE

Published: 04 May 2020

Published
04 May 2020
Modified
04 November 2025
KEV Added
22 June 2023
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9327 99.8th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-12641 is a critical-severity OS Command Injection (CWE-78) vulnerability in Roundcube Webmail. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-12641 is a command injection vulnerability (CWE-78) in rcube_image.php within Roundcube Webmail versions prior to 1.4.4. It arises when user-supplied values containing shell metacharacters are passed to the ImageMagick utilities configured via the im_convert_path or im_identify_path settings, enabling arbitrary operating system command execution.

Unauthenticated remote attackers can exploit the flaw over the network by manipulating these configuration parameters. Successful exploitation grants full control over the affected webmail instance, including the ability to read, modify, or delete data and execute code with the privileges of the web server process.

The referenced Roundcube 1.4.4 release and associated commit address the issue by sanitizing the path configuration values before they are used in shell commands. OpenSUSE and other distribution advisories recommend upgrading to the patched version as the primary mitigation.

A public proof-of-concept demonstrating the injection vector is available in the referenced GitHub disclosure repository.

EU & UK References

Vulnerability details

rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

CWE(s)
KEV Date Added
22 June 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

roundcube
webmail
1.2.0 — 1.2.10 · 1.3.0 — 1.3.11 · 1.4.0 — 1.4.4
opensuse
backports sle
15.0
opensuse
leap
15.1, 15.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of configuration inputs (im_convert_path, im_identify_path) to block shell metacharacters before they reach external commands.

prevent

Mandates timely application of the vendor patch (1.4.4+) that sanitizes the path values and eliminates the command-injection flaw.

prevent

Enforces least functionality by disabling or restricting unnecessary ImageMagick integration and external command execution paths that enable the injection.

References