top of page
Search

CISA Adds Two Actively Exploited Roundcube Vulnerabilities to KEV Catalog

  • Feb 22
  • 2 min read

Key Findings:


  • CISA has added two actively exploited vulnerabilities in Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog.

  • The vulnerabilities are CVE-2025-49113 (CVSS 9.9) and CVE-2025-68461 (CVSS 7.2).

  • CVE-2025-49113 is a deserialization of untrusted data flaw that allows remote code execution by authenticated users.

  • CVE-2025-68461 is a cross-site scripting vulnerability in the "animate" tag of an SVG document.

  • Attackers have already weaponized CVE-2025-49113 within 48 hours of public disclosure and an exploit is available for sale.

  • The Roundcube vulnerabilities have been exploited by nation-state threat actors like APT28 and Winter Vivern in the past.

  • Federal agencies must remediate the identified vulnerabilities by March 13, 2026 to secure their networks.


Background


Roundcube is a popular open-source webmail software used by many organizations worldwide. The two vulnerabilities added to CISA's KEV catalog are serious security flaws that have been actively exploited by threat actors.


CVE-2025-49113 - Remote Code Execution


  • This vulnerability (CVSS 9.9) allows remote code execution by authenticated users due to improper validation of the "_from" parameter in the "program/actions/settings/upload.php" file.

  • Attackers have already weaponized this vulnerability within 48 hours of public disclosure, and an exploit is available for sale.

  • The flaw had been present in the Roundcube codebase for over 10 years before being discovered and fixed in June 2025.


CVE-2025-68461 - Cross-Site Scripting


  • This vulnerability (CVSS 7.2) enables cross-site scripting attacks via the "animate" tag in an SVG document.

  • The vulnerability was fixed in December 2025.


Threat Actor Activity


  • Multiple vulnerabilities in Roundcube have been exploited by nation-state threat actors like APT28 and Winter Vivern in the past.

  • There are currently no details on who is behind the exploitation of the two newly disclosed Roundcube flaws.


Remediation Actions


  • Federal Civilian Executive Branch (FCEB) agencies must remediate the identified vulnerabilities by March 13, 2026 to secure their networks against the active threat.

  • Organizations using Roundcube should urgently apply the available patches to protect their systems.


Sources


  • https://thehackernews.com/2026/02/cisa-adds-two-actively-exploited.html

  • https://x.com/shah_sheikh/status/2025119322507501957

  • https://x.com/TheCyberSecHub/status/2025119359556092132

  • https://malware.news/t/cisa-adds-two-roundcube-flaws-to-kev-what-organizations-must-do/104304

  • https://www.linkedin.com/posts/dlross_cisa-adds-two-actively-exploited-roundcube-activity-7431163325549273088-Kshy

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page