The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added two high-risk vulnerabilities affecting Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog. The move comes after reports of active exploitation, underscoring the urgency for organizations to patch affected systems promptly.
Details of the Vulnerabilities
The newly listed vulnerabilities include:
- CVE-2025-49113 – CVSS Score 9.9
- Deserialization of untrusted data vulnerability
- Allows remote code execution by authenticated users
- Exploitable via the
_fromparameter inprogram/actions/settings/upload.php - Fixed in June 2025
- CVE-2025-68461 – CVSS Score 7.2
- Cross-site scripting (XSS) vulnerability via the
animatetag in SVG documents - Fixed in December 2025
- Cross-site scripting (XSS) vulnerability via the
Dubai-based cybersecurity company FearsOff, founded by Kirill Firsov, discovered CVE-2025-49113. According to Firsov, attackers had “diffed and weaponized” the vulnerability within 48 hours of its public disclosure, and an exploit was made available for sale on June 4, 2025.
The flaw could be triggered reliably on default Roundcube installations and had been hidden in the codebase for more than a decade.
Exploitation and Threat Actors
While the identities of the attackers exploiting these Roundcube vulnerabilities remain unknown, similar flaws in the software have historically been weaponized by sophisticated nation-state groups, including APT28 and Winter Vivern. These vulnerabilities pose a serious risk to organizations using unpatched versions of Roundcube, particularly in federal and enterprise environments.
Federal Guidance and Remediation
Federal Civilian Executive Branch (FCEB) agencies are required to remediate the identified vulnerabilities by March 13, 2026. This measure is intended to secure government networks against the active threats.
CISA strongly recommends that all organizations running Roundcube:
- Apply the official patches provided in June 2025 and December 2025 for the respective vulnerabilities
- Review system logs for suspicious activity
- Limit access to management interfaces and implement strict authentication controls
- Conduct routine vulnerability scans to detect potential exposures
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
