U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds RoundCube Webmail flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two RoundCube Webmail flaws to its Known Exploited Vulnerabilities (KEV) catalog. Below are the flaws added to the catalog: Roundcube is a popular webmail platform and has been repeatedly targeted […] U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds RoundCube Webmail flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two RoundCube Webmail flaws to its Known Exploited Vulnerabilities (KEV) catalog. Below are the flaws added to the catalog: CVE-2025-49113 (CVSS score of 9.9) RoundCube Webmail Deserialization of Untrusted Data Vulnerability CVE-2025-68461 (CVSS score: 7.2) RoundCube Webmail Cross-site Scripting Vulnerability Roundcube is a popular webmail platform and has been repeatedly targeted by advanced threat groups like APT28 and Winter Vivern. In the past, attackers exploited these vulnerabilities to steal login credentials and spy on sensitive communications. These campaigns show how unpatched systems remain a serious risk, especially for high-value targets. The critical flaw CVE-2025-49113 is a deserialization of untrusted data vulnerability. The flaw went unnoticed for over a decade, an attacker can exploit it to take control of affected systems and run malicious code, putting users and organizations at significant risk. Kirill Firsov, founder and CEO of FearsOff, discovered the vulnerability. “Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.” reads the advisory published by NIST. The vulnerability has been addressed in 1.6.11 and 1.5.10 LTS. At the time of the discovery, Firsov estimated that the flaw was impacting over 53 million hosts (and tools like cPanel, Plesk, ISPConfig, DirectAdmin, etc.), Researchers at Positive Technologies announced they have reproduced CVE-2025-49113 in Roundcube. The experts urge users to update to the latest version of Roundcube immediately. The second flaw, tracked as CVE-2025-68461, added to the Kev catalog is a cross-site scripting vulnerability. “Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.” reads the advisory. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure. CISA orders federal agencies to fix the vulnerabilities by March 10, 2026. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs hacking, CISA)
Published: 2026-02-21T11:19:44