The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included two vulnerabilities affecting Roundcube webmail software in its Known Exploited Vulnerabilities (KEV) catalog, indicating that these flaws are currently being exploited in the wild.
Details of the Vulnerabilities
The vulnerabilities are as follows:
CVE-2025-49113 (CVSS score: 9.9) – This vulnerability involves the deserialization of untrusted data, which allows remote code execution by authenticated users. The issue arises because the _from parameter in a URL is not properly validated in the program/actions/settings/upload.php file. This flaw was addressed in a patch released in June 2025.
CVE-2025-68461 (CVSS score: 7.2) – This is a cross-site scripting vulnerability that can be exploited through the animate tag in an SVG document. A fix for this vulnerability was made available in December 2025.
Exploitation Timeline
According to FearsOff, a cybersecurity firm based in Dubai, the vulnerability CVE-2025-49113 was discovered and reported by its founder, Kirill Firsov. Notably, within 48 hours of the public disclosure of this flaw, attackers had already “diffed and weaponized the vulnerability.” An exploit for this vulnerability was subsequently offered for sale on June 4, 2025. Firsov also mentioned that this flaw could be reliably triggered on default installations and had remained undetected in the codebase for over a decade.
Impact and Response
While the specific actors behind the exploitation of these vulnerabilities remain unidentified, it is worth noting that similar vulnerabilities in Roundcube have previously been targeted by nation-state threat groups, including APT28 and Winter Vivern.
In light of these developments, federal agencies within the Federal Civilian Executive Branch (FCEB) are required to remediate the identified vulnerabilities by March 13, 2026, to protect their networks from the ongoing threats posed by these flaws.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
