Critical Roundcube Webmail Vulnerabilities Actively Exploited — CISA Issues Urgent Warning

In a stark cybersecurity alert that has sent shockwaves through the global IT community, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added two dangerous vulnerabilities affecting Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog. The agency’s Friday announcement underscores mounting evidence that malicious actors are actively weaponizing these flaws in real-world attacks, putting millions of users and countless organizations at risk.

The vulnerabilities, both carrying high-severity CVSS scores, represent serious threats to webmail systems worldwide:

• CVE-2025-49113 (CVSS: 9.9) — A catastrophic deserialization flaw allowing remote code execution by authenticated users. The vulnerability stems from improper validation of the _from parameter in program/actions/settings/upload.php. Despite being patched in June 2025, attackers wasted no time weaponizing the flaw within 48 hours of its public disclosure, with exploit code appearing for sale on underground forums by June 4th. Cybersecurity firm FearsOff, whose CEO Kirill Firsov discovered and reported the issue, revealed the vulnerability had lurked undetected in Roundcube’s codebase for over a decade.

• CVE-2025-68461 (CVSS: 7.2) — A cross-site scripting (XSS) vulnerability exploitable via malicious SVG animate tags. This flaw, patched in December 2025, allows attackers to inject and execute arbitrary scripts in users’ browsers.

Dubai-based FearsOff’s alarming findings paint a grim picture: the Roundcube deserialization vulnerability is not merely theoretical—it’s being actively exploited in the wild. The speed at which attackers reverse-engineered, weaponized, and monetized the flaw demonstrates the lucrative black market for such critical exploits.

The threat landscape surrounding Roundcube has grown increasingly perilous. Multiple vulnerabilities in the open-source email platform have been systematically weaponized by sophisticated nation-state threat actors, including notorious groups like APT28 (aka Fancy Bear) and Winter Vivern. These advanced persistent threat (APT) groups have leveraged Roundcube flaws in espionage campaigns targeting government agencies, diplomatic entities, and critical infrastructure worldwide.

CISA’s inclusion of these vulnerabilities in the KEV catalog triggers immediate compliance requirements for Federal Civilian Executive Branch (FCEB) agencies, which must implement patches and mitigations by March 13, 2026. However, security experts warn that the threat extends far beyond government networks—any organization running vulnerable Roundcube installations faces imminent danger.

The discovery of a decade-old vulnerability lurking in production code raises serious questions about software supply chain security and the challenges of maintaining legacy codebases. Security researchers emphasize that organizations running Roundcube should immediately verify their installations are updated to the latest patched versions (1.6.12 and 1.5.12) and implement additional monitoring for suspicious activity.

As nation-state actors continue refining their exploitation techniques and the cybercrime ecosystem accelerates its weaponization of newly disclosed vulnerabilities, the Roundcube incidents serve as a sobering reminder: in today’s threat landscape, even a single unpatched vulnerability can provide attackers with a foothold capable of compromising entire networks.

Administrators and security teams are urged to treat these vulnerabilities with the utmost urgency, implementing patches immediately and conducting thorough security audits of their email infrastructure. The clock is ticking, and the evidence is clear—these flaws are not theoretical risks but active weapons in the hands of sophisticated adversaries.

Tags & Viral Phrases:

• Roundcube webmail vulnerability
• CISA Known Exploited Vulnerabilities catalog
• CVE-2025-49113 remote code execution
• CVE-2025-68461 XSS vulnerability
• FearsOff cybersecurity research
• APT28 Fancy Bear targeting Roundcube
• Winter Vivern espionage campaign
• Deserialization of untrusted data vulnerability
• Webmail software critical flaw
• Federal agencies March 13 deadline
• 10-year-old vulnerability discovered
• Exploit code for sale underground
• Nation-state actors weaponizing email flaws
• Critical infrastructure at risk
• Software supply chain security warning
• Legacy code vulnerabilities
• Email system security audit required
• Active exploitation in the wild
• CVSS score 9.9 critical vulnerability
• Cross-site scripting SVG attack
• Cybersecurity emergency alert
• Patch immediately or risk compromise
• Government networks targeted
• Sophisticated APT groups
• Zero-day vulnerability monetization
• Enterprise email security crisis
• Urgent security patch deployment
• Federal Civilian Executive Branch warning
• Digital espionage campaign
• Email server compromise threat
• Critical infrastructure vulnerability
• Cybersecurity incident response
• Threat actor monetization
• Vulnerability weaponization timeline
• Software maintenance failure
• Enterprise security breach risk
• Government cybersecurity mandate
• Email platform security failure
• Advanced persistent threat warning
• Critical vulnerability exploitation
• Enterprise security emergency
• Federal compliance deadline
• Cybersecurity incident escalation
• Email infrastructure compromise
• Digital espionage threat
• Software vulnerability monetization
• Enterprise security crisis
• Critical system vulnerability
• Government cybersecurity warning
• Email server security breach
• Cybersecurity threat landscape
• Enterprise vulnerability management
• Government network security
• Email system compromise
• Cybersecurity incident response team
• Enterprise security posture
• Government cybersecurity compliance
• Email infrastructure security
• Cybersecurity threat intelligence
• Enterprise vulnerability assessment
• Government cybersecurity mandate
• Email platform security audit
• Cybersecurity incident management
• Enterprise security monitoring
• Government network security audit
• Email system vulnerability
• Cybersecurity threat mitigation
• Enterprise security framework
• Government cybersecurity framework
• Email infrastructure monitoring
• Cybersecurity incident prevention
• Enterprise security best practices
• Government cybersecurity best practices
• Email system security measures
• Cybersecurity threat landscape analysis
• Enterprise vulnerability management strategy
• Government cybersecurity strategy
• Email infrastructure security strategy
• Cybersecurity incident response plan
• Enterprise security incident plan
• Government cybersecurity incident plan
• Email system security plan
• Cybersecurity threat detection
• Enterprise vulnerability detection
• Government cybersecurity detection
• Email infrastructure detection
• Cybersecurity incident detection
• Enterprise security detection
• Government network detection
• Email system detection
• Cybersecurity threat prevention
• Enterprise vulnerability prevention
• Government cybersecurity prevention
• Email infrastructure prevention
• Cybersecurity incident prevention
• Enterprise security prevention
• Government network prevention
• Email system prevention
• Cybersecurity threat response
• Enterprise vulnerability response
• Government cybersecurity response
• Email infrastructure response
• Cybersecurity incident response
• Enterprise security response
• Government network response
• Email system response
• Cybersecurity threat recovery
• Enterprise vulnerability recovery
• Government cybersecurity recovery
• Email infrastructure recovery
• Cybersecurity incident recovery
• Enterprise security recovery
• Government network recovery
• Email system recovery

,