CISA has updated its Known Exploited Vulnerabilities (KEV) catalogue, which now contains two vulnerabilities in Section Four of the Roundcube webmail software. These two separate vulnerabilities allow remote attackers to take control of any user’s email server by exploiting the identified vulnerabilities; CISA has confirmed there are active attacks using both of these methods in the wild.
Vulnerabilities
1. CVE-2025-49113 (CVSS 9.9 - Critical)
This vulnerability is found in program/actions/settings/upload.php and involves an untrusted data deserialization flaw. It affects the _from URL parameter, as it does not validate or sanitize the input, and therefore allows an authenticated user to perform remote code execution (RCE).
The issue has existed within the codebase for more than 10 years and was only discovered after a security researcher reported it to Roundcube. As of June 4, 2025, the vulnerability was publicly disclosed. An attacker was able to develop an exploit within 48 hours of the public disclosure of the vulnerability, as evidenced by FearsOff’s CEO, Kirill Firsov.
The vulnerability was confirmed to be reliable when exploiting default installations of Roundcube.
2. CVE-2025-68461 (CVSS 7.2 - High)
The Roundcube webmail software also has a cross-site scripting (XSS) vulnerability that can also lead to remote code execution (RCE) when an attacker exploits the tag in SVG documents that are processed by Roundcube.
An additional issue that affects this vulnerability is that it can also be chained together with other vulnerabilities, therefore allowing an attacker to compromise additional users of the email system. The issue was remediated in Roundcube 1.6.9 (December 2025).
Exploitation situation
Nation-state actors have extensively targeted Roundcube:
1. APT28 (Fancy Bear/Sofacy) has exploited several flaws in Roundcube for encrypted communications.
2. Winter Vivern (aka TA473) used similar webmail vulnerabilities in 2023–2024 campaigns against government and diplomatic targets.
No specific attribution is provided for the current exploitation of these two CVEs, but the pattern fits state-sponsored or advanced criminal operations seeking persistent email access.
Remediation Deadline
Federal Civilian Executive Branch (FCEB) agencies must apply patches by March 13, 2026 (21 days from catalog addition) to comply with Binding Operational Directive (BOD) 22-01.
User Recommendations
1. Upgrade to the newest version of Roundcube, which is version 1.6.10 or greater, for CVE-2025-49113, or to version 1.6.9 or greater, for CVE-2025-68461.
2. If an upgrade cannot be done promptly:
a) Disallow or restrict upload.php access for CVE-2025-49113.
b) Disable SVG file parsing, or implement strict content filtering for SVG files to mitigate risk from CVE-2025-68461.
3. If a vulnerable version exists on an Internet-facing server, pick up potential compromise indicators like web shells, unusual outbound traffic, or unexpected authenticated sessions.
4. Implement multi-factor authentication and monitor for anomalies during login attempts.
Roundcube continues to be one of the most surveillance-installed open-source webmail solutions and therefore poses a high-risk threat vector. Rapid patching is critical , especially for organizations in government, defense, diplomacy, or any sector handling sensitive email communications.
Source: The Hacker News
