The U.S. Cybersecurity and Infrastructure Security Agency, Cybersecurity and Infrastructure Security Agency, has issued an urgent alert regarding two recently patched vulnerabilities affecting Roundcube Webmail. The agency confirmed that both flaws are now being actively exploited in real world attacks and has directed federal agencies to apply patches within three weeks.
Roundcube has served as the default webmail interface for cPanel since 2008, making it one of the most widely deployed web based email platforms globally.
Critical RCE Vulnerability Actively Abused
The first flaw, tracked as CVE-2025-49113, is a critical remote code execution vulnerability. It was observed being exploited shortly after patches were released in June 2025.
At the time, internet monitoring organization Shadowserver Foundation reported that more than 84,000 Roundcube instances were exposed and potentially vulnerable to exploitation.
Remote code execution vulnerabilities are particularly dangerous because they allow attackers to run arbitrary commands on affected servers, potentially leading to full system compromise, data theft, and lateral movement within enterprise networks.
XSS Vulnerability Enables Remote Attacks
The second vulnerability, CVE-2025-68461, was patched in December 2025. According to the Roundcube security team, the flaw allows unauthenticated remote attackers to exploit a low complexity cross site scripting vulnerability.
The attack abuses the animate tag in SVG documents, enabling malicious scripts to execute within the context of a victim’s browser session.
When releasing versions 1.6.12 and 1.5.12, the Roundcube team strongly urged administrators to immediately update production environments running 1.6.x and 1.5.x branches.
Thousands of Exposed Instances Online
Security search engine Shodan currently lists over 46,000 Roundcube instances accessible from the public internet. However, it remains unclear how many of these systems are still vulnerable to CVE-2025-49113 or CVE-2025-68461.
Added to CISA KEV Catalog
Although technical details of ongoing exploitation were not disclosed, CISA added both vulnerabilities to its Known Exploited Vulnerabilities catalog (KEV).
The agency described them as frequent attack vectors posing significant risk to federal networks. Under Binding Operational Directive 22-01, issued in November 2021, Federal Civilian Executive Branch agencies must remediate identified vulnerabilities within a specified deadline. In this case, agencies have until March 13 to secure affected systems.
CISA also tracks ten additional Roundcube vulnerabilities that have either been actively exploited or abused in past campaigns.
Roundcube as a Recurring Target
Roundcube vulnerabilities have long attracted cybercriminal and state sponsored threat actors. A notable example includes CVE-2023-5631, a stored XSS flaw exploited in zero day attacks by Winter Vivern, also known as TA473, targeting European government entities.
The Russian cyber espionage group APT28 also leveraged Roundcube vulnerabilities to compromise Ukrainian government email systems.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
