• CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog The U.S. • Cybersecurity and Infrastructure Security Agency (CISA) on Fridayaddedtwo security flaws impacting Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. • The vulnerabilities in question are listed below - CVE-2025-49113(CVSS score: 9.9) - A deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php. • (Fixed inJune 2025) CVE-2025-68461(CVSS score: 7.2) - A cross-site scripting vulnerability via the animate tag in an SVG document. • (Fixed inDecember 2025) Dubai-based cybersecurity company FearsOff, whose founder and CEO, Kirill Firsov, was credited with discovering and reporting CVE-2025-49113, said attackers have already “diffed and weaponized the vulnerability” within 48 hours of public disclosure of the flaw. • An exploit for the vulnerability was subsequentlymade availablefor sale on June 4, 2025.

Article Summaries:

  • CISA added two Roundcube webmail vulnerabilities to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. CVE‑2025‑49113, a deserialization flaw that allows remote code execution for authenticated users (CVSS 9.9), was weaponized within 48 hours of disclosure and an exploit was sold on June 4, 2025. CVE‑2025‑68461, a cross‑site scripting issue triggered by an SVG animate tag (CVSS 7.2), is also listed. The first flaw was identified by FearsOff’s Kirill Firsov, who noted it could be reliably triggered on default installations. No attribution is available, but similar Roundcube exploits have been linked to nation‑state actors. Federal civilian agencies must remediate the flaws by March 13, 2026.
  • CISA warned on Friday that two RoundCube Webmail vulnerabilities are being exploited in the wild. The first, CVE‑2025‑49113, is a post‑authentication remote code‑execution flaw (CVSS 9.9) that affects all RoundCube 1.1.0‑1.6.10 releases. The second, CVE‑2025‑68461, is a high‑severity cross‑site scripting bug (CVSS 7.2) that can be triggered via an SVG animate tag and impacts versions 1.6.12 and 1.5.12. Both defects were patched (June 1 and December 2025, respectively) but attackers deployed exploits within days of disclosure. CISA urges federal agencies to patch both issues within three weeks under BOD 22‑01 and recommends reviewing its Known Exploited Vulnerabilities catalog.
  • CISA has identified two recently patched Roundcube Webmail vulnerabilities that are now being actively exploited. The critical remote‑code‑execution flaw (CVE‑2025‑49113) was first abused days after its June 2025 patch, while the low‑complexity cross‑site scripting issue (CVE‑2025‑68461) was exploited after a December 2025 fix. Roundcube released versions 1.6.12 and 1.5.12 to address both bugs. Shodan reports over 46,000 Roundcube instances online, though the exact number vulnerable is unknown. CISA added the flaws to its Known Exploited Vulnerabilities catalog and ordered all U.S. federal civilian agencies to patch them by March 13 under BOD 22‑01.
  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two Roundcube webmail vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation. CVE‑2025‑49113, a deserialization flaw that allows remote code execution for authenticated users, carries a CVSS score of 9.9 and was fixed in June 2025. CVE‑2025‑68461, a cross‑site scripting issue triggered by an SVG animate tag, has a CVSS score of 7.2 and was fixed in December 2025. Attackers weaponized the first flaw within 48 hours of disclosure, and an exploit was sold on June 4 2025. No attribution is known, but similar flaws have been used by nation‑state actors. Federal civilian agencies must remediate the issues by March 13 2026.

Sources: