CISA Flags Critical Roundcube Vulnerabilities Amid Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added two significant security vulnerabilities affecting Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog, highlighting active exploitation in the wild.
Identified Vulnerabilities:
1. CVE-2025-49113: This critical flaw, with a CVSS score of 9.9, involves the deserialization of untrusted data. It allows authenticated users to execute remote code due to inadequate validation of the `_from` parameter in the `upload.php` file located at `program/actions/settings/`. This vulnerability was addressed in June 2025.
2. CVE-2025-68461: Rated with a CVSS score of 7.2, this cross-site scripting (XSS) vulnerability can be exploited through the `animate` tag within an SVG document. The issue was resolved in December 2025.
Discovery and Exploitation:
Dubai-based cybersecurity firm FearsOff, led by CEO Kirill Firsov, identified and reported CVE-2025-49113. Firsov noted that attackers had analyzed and weaponized the vulnerability within 48 hours of its public disclosure. An exploit for this flaw was subsequently made available for sale on June 4, 2025. Firsov emphasized that this vulnerability could be reliably triggered on default Roundcube installations and had remained undetected in the codebase for over a decade.
Potential Threat Actors:
While specific details regarding the entities exploiting these vulnerabilities remain undisclosed, historical data indicates that nation-state actors such as APT28 and Winter Vivern have previously targeted multiple vulnerabilities within Roundcube.
CISA’s Directive:
In response to these active threats, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies remediate the identified vulnerabilities by March 13, 2026, to bolster network security.
Implications for Organizations:
The swift exploitation of these vulnerabilities underscores the critical need for organizations to maintain vigilant patch management practices. Regularly updating software and promptly addressing known vulnerabilities are essential steps in mitigating potential security breaches.
Conclusion:
The inclusion of these Roundcube vulnerabilities in CISA’s KEV catalog serves as a stark reminder of the ever-evolving cyber threat landscape. Organizations are urged to assess their systems for these vulnerabilities and implement the necessary patches without delay to safeguard their digital assets.
