The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added two security flaws affecting the Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
The vulnerabilities in question are as follows.
CVE-2025-49113 (CVSS score: 9.9) – Untrusted data deserialization vulnerability that allows remote code execution by authenticated users, because the _from parameter in a URL is not validated in programs/actions/configurations/upload.php. (Fixed in June 2025) CVE-2025-68461 (CVSS score: 7.2) – Cross-site scripting vulnerability via the animate tag in SVG documents. (revised December 2025)
Dubai-based cybersecurity firm FearsOff, whose founder and CEO Kirill Firsov is credited with discovering and reporting CVE-2025-49113, said attackers had already “exploited and weaponized the vulnerability” within 48 hours of the flaw’s disclosure. An exploit leveraging this vulnerability was subsequently made available for sale on June 4, 2025.
Firsov also noted that this flaw can definitely be triggered by default installations and has been hidden in the codebase for over a decade.
Details about who was behind the exploitation of the two Roundcube flaws are unclear. However, multiple vulnerabilities in email software have been weaponized by nation-state threat actors such as APT28 and Winter Vivern.
Federal Civilian Executive Branch (FCEB) agencies must remediate identified vulnerabilities by March 13, 2026 to protect their networks from current threats.
Source link
