CISA Adds Two Actively Exploited Roundcube Webmail Flaws to

Critical Roundcube Flaws Under Active Attack

The Cybersecurity and Infrastructure Security Agency (CISA) has added two Roundcube Webmail vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing confirmed active exploitation in the wild. The flaws — CVE-2025-49113 (CVSS 9.9) and CVE-2025-68461 (CVSS 7.2) — allow remote code execution and cross-site scripting respectively, and affect organizations worldwide that rely on Roundcube as their webmail solution.

Federal Civilian Executive Branch (FCEB) agencies are required to patch by March 13, 2026, per Binding Operational Directive (BOD) 22-01. However, CISA strongly urges all organizations using Roundcube to apply patches immediately given the confirmed exploitation activity.

Roundcube is one of the most widely deployed open-source webmail clients, used extensively by government agencies, universities, ISPs, and enterprises — making these vulnerabilities particularly high-impact.

Vulnerability Details

How the Vulnerabilities Work

CVE-2025-49113: Deserialization RCE (CVSS 9.9)

This critical vulnerability exists in Roundcube's file upload handler at program/actions/settings/upload.php. The flaw stems from a failure to validate the _from parameter in the URL:

1. An authenticated user submits a crafted request to the upload endpoint
2. The _from parameter is passed directly to a deserialization function without validation
3. The attacker provides a serialized PHP object containing malicious payloads
4. The server deserializes the untrusted data, executing arbitrary code with web server privileges
5. The attacker achieves full remote code execution on the Roundcube server

This vulnerability is particularly dangerous because:

• It has been hidden in the codebase for over 10 years
• It triggers reliably on default installations without additional configuration
• It requires only authenticated user access (any valid webmail account)
• Attackers weaponized it within 48 hours of public disclosure
• An exploit was offered for sale as early as June 4, 2025

CVE-2025-68461: SVG-Based XSS (CVSS 7.2)

This cross-site scripting vulnerability exploits Roundcube's handling of SVG images embedded in emails:

1. An attacker crafts a malicious email containing an SVG image
2. The SVG contains a <animate> tag with embedded JavaScript
3. When the victim opens the email in Roundcube's web interface, the SVG renders
4. The JavaScript executes in the context of the victim's Roundcube session
5. The attacker can then:
   • Read all emails in the victim's mailbox
   • Exfiltrate session tokens and authentication cookies
   • Send emails silently from the victim's account
   • Modify mail filters to redirect future correspondence

Historical Context: Roundcube as an APT Target

Roundcube vulnerabilities have a well-documented history of exploitation by state-sponsored threat actors:

The pattern is clear: Roundcube's widespread deployment in government and institutional environments makes it a persistent target for both espionage and cybercrime operations.

Impact Assessment

Patching Guide

Affected Versions and Fixes

How to Update

1. Backup your Roundcube installation and database
2. Download the latest release from the Roundcube releases page
3. Follow the upgrade guide for your deployment method
4. Verify the version number in Settings > About after upgrade
5. Test email functionality to ensure no regressions

Recommendations

For IT Administrators

1. Patch Roundcube immediately — Update to 1.5.12 or 1.6.12 (or later)
2. Restrict upload.php access if patching is delayed — Apply WAF rules to block crafted _from parameters
3. Disable SVG rendering in Roundcube configuration as a temporary mitigation for CVE-2025-68461
4. Audit user accounts for signs of compromise — Check for unauthorized mail filter changes or forwarding rules
5. Enable CSP headers to reduce XSS impact if not already configured

For Security Teams

1. Hunt for exploitation indicators — Review web server logs for unusual requests to upload.php with serialized data
2. Monitor for email exfiltration — Look for bulk email access patterns or unusual IMAP/POP connections
3. Check for unauthorized mail rules — Compromised accounts may have attacker-created forwarding or filter rules
4. Correlate with threat intelligence — APT28 and Winter Vivern have historically exploited Roundcube
5. Assess exposure — Identify all Roundcube instances in your environment and prioritize patching by exposure level

Key Takeaways

1. Two Roundcube vulnerabilities added to CISA KEV — CVE-2025-49113 (CVSS 9.9, RCE) and CVE-2025-68461 (CVSS 7.2, XSS)
2. Active exploitation confirmed — Attackers weaponized CVE-2025-49113 within 48 hours of disclosure
3. Federal agencies must patch by March 13, 2026 — All organizations should patch immediately
4. CVE-2025-49113 was hidden for 10+ years in the Roundcube codebase and triggers on default installations
5. Roundcube remains a persistent APT target — State-sponsored groups including APT28 and Winter Vivern have a documented history of targeting this platform
6. Update to Roundcube 1.5.12 or 1.6.12 to address both vulnerabilities

Sources

• The Hacker News — CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog
• BleepingComputer — CISA: Recently Patched Roundcube Flaws Now Exploited in Attacks
• SecurityAffairs — U.S. CISA Adds Roundcube Webmail Flaws to KEV Catalog
• GBHackers — CISA Warns of Actively Exploited Roundcube Vulnerabilities

Related Reading

• CISA Adds Four Critical Vulnerabilities to KEV Catalog
• CISA Issues Emergency Directive as Cisco SD-WAN Zero-Day
• Cisco SD-WAN Zero-Day CVE-2026-20127 Triggers Five Eyes