CISA Adds Two Roundcube Vulnerabilities to Known Exploited List

CISA added two Roundcube webmail flaws to its Known Exploited Vulnerabilities catalog due to active attacks. Federal agencies must fix them by March 13, 2026. The bugs are CVE-2025-49113 and CVE-2025-68461.

CVE-2025-49113 is a critical deserialization flaw in upload.php. It lets logged-in users run code remotely via the _from URL parameter. CVSS score sits at 9.9. A fix came out in June 2025.

BEST WINTER DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

CVE-2025-68461 allows cross-site scripting through SVG animate tags. Attackers inject scripts via emails. It scores 7.2 on CVSS. Patches dropped in December 2025.

FearsOff found CVE-2025-49113 after 10 years in the code. Hackers weaponized it fast. An exploit sold online by June 4, 2025. Default setups face high risk.

Attackers hit Roundcube often. Groups like APT28 and Winter Vivern used past flaws. No word yet on who’s exploiting these two. But real-world hits forced CISA action.

Vulnerability Details

CISA links exploitation evidence to both CVEs. FCEB agencies face mandates. Private orgs should patch too.

CISA alert: “Apply mitigations now to secure networks.”

Roundcube news: Security fixes confirmed in releases.

FearsOff report: Attackers diffed code in 48 hours. [fearsoff.org/research/roundcube].

Patch Priority

• Update to latest Roundcube versions right away.
• Scan for exposed webmail on standard ports.
• Check logs for failed auth or odd uploads.
• Test auth users for exploit signs.

FAQ