The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added two security flaws impacting Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerabilities in question are listed below –
- CVE-2025-49113 (CVSS score: 9.9) – A deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php. (Fixed in June 2025)
- CVE-2025-68461 (CVSS score: 7.2) – A cross-site scripting vulnerability via the animate tag in an SVG document. (Fixed in December 2025)
Dubai-based cybersecurity company FearsOff, whose founder and CEO, Kirill Firsov, was credited with discovering and reporting CVE-2025-49113, said attackers have already “diffed and weaponized the vulnerability” within 48 hours of public disclosure of the flaw. An exploit for the vulnerability was subsequently made available for sale on June 4, 2025.
Firsov also noted that the shortcoming can be triggered reliably on default installations, and that it had been hidden in the codebase for over 10 years.
There are no details on who is behind the exploitation of the two Roundcube flaws. But multiple vulnerabilities in the email software have been weaponized by nation-state threat actors like APT28 and Winter Vivern.
Federal Civilian Executive Branch (FCEB) agencies are to remediate identified vulnerabilities by March 13, 2026, to secure their networks against the active threat.
