The digital battleground intensifies as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issues a stark warning, adding two critical security flaws within the popular Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog. This move comes amidst undeniable evidence of active exploitation, signaling an urgent threat to organizations relying on the platform.
Immediate Action Required: Two Critical Flaws Under Attack
CISA’s latest update highlights two distinct vulnerabilities that are currently being leveraged by malicious actors:
CVE-2025-49113: The Decade-Old RCE Threat (CVSS: 9.9)
This severe deserialization of untrusted data vulnerability allows authenticated users to achieve remote code execution (RCE). The flaw stems from inadequate validation of the
_fromparameter inprogram/actions/settings/upload.php.- Alarmingly, this vulnerability, fixed in June 2025, had reportedly lurked within Roundcube’s codebase for over a decade, remaining undetected until recently.
CVE-2025-68461: Cross-Site Scripting via SVG (CVSS: 7.2)
- A significant cross-site scripting (XSS) vulnerability, this flaw can be triggered through the
animatetag within an SVG document. While less severe than the RCE, XSS attacks can lead to session hijacking, data theft, and defacement, posing a substantial risk. This issue was addressed in December 2025.
Rapid Weaponization and Nation-State Concerns
The speed at which these vulnerabilities were weaponized is particularly concerning. Kirill Firsov, CEO of Dubai-based cybersecurity firm FearsOff, credited with discovering and reporting CVE-2025-49113, revealed that attackers “diffed and weaponized” the flaw within a mere 48 hours of its public disclosure. An exploit for this critical vulnerability was subsequently offered for sale on June 4, 2025, underscoring its immediate value to threat actors.
Firsov further emphasized the ease of exploitation, noting that CVE-2025-49113 can be reliably triggered on default Roundcube installations. While the identities of the current exploiters remain undisclosed, the history of Roundcube vulnerabilities includes weaponization by sophisticated nation-state groups such as APT28 and Winter Vivern, suggesting a potentially high-stakes threat landscape.
Urgent Remediation for Federal Agencies
In response to this escalating threat, Federal Civilian Executive Branch (FCEB) agencies have been mandated to remediate these identified vulnerabilities by March 13, 2026. This strict deadline is a clear directive to fortify their networks against the active and evolving dangers posed by these Roundcube flaws.
For all organizations utilizing Roundcube, the message is clear: immediate patching and a thorough review of security postures are paramount to prevent falling victim to these actively exploited vulnerabilities.
For more details, visit our website.
Source: Link
Leave a comment