CISA Flags Two Critical Roundcube Webmail Vulnerabilities as Actively Exploited in the Wild

In a major cybersecurity alert, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two Roundcube Webmail vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, warning federal agencies that both flaws are being actively exploited in real-world attacks. The vulnerabilities, tracked as CVE-2025-49113 and CVE-2025-68461, pose significant risks to federal systems and have prompted an urgent directive for agencies to patch their systems within three weeks.

Critical RCE Flaw (CVE-2025-49113) – A Silent Threat

The first vulnerability, CVE-2025-49113, is a critical remote code execution (RCE) flaw that allows unauthenticated attackers to execute arbitrary code on vulnerable systems. This flaw was first flagged as exploited just days after its patch release in June 2025, when Shadowserver, a leading internet security watchdog, warned that over 84,000 Roundcube Webmail installations were vulnerable to attacks. The widespread exposure of this flaw has made it a prime target for cybercriminals and state-sponsored threat actors alike.

XSS Vulnerability (CVE-2025-68461) – Low-Complexity Attack Vector

The second vulnerability, CVE-2025-68461, is a cross-site scripting (XSS) flaw that can be exploited through low-complexity attacks abusing the animate tag in SVG documents. Roundcube patched this vulnerability in December 2025, releasing versions 1.6.12 and 1.5.12 to address the issue. The company strongly urged all users of Roundcube 1.6.x and 1.5.x to update their installations immediately to mitigate the risk.

Widespread Impact and Urgent Action Required

According to Shodan, there are currently over 46,000 Roundcube Webmail instances accessible on the internet. However, it remains unclear how many of these are vulnerable to the aforementioned flaws. CISA’s inclusion of these vulnerabilities in its KEV Catalog underscores their severity and the urgent need for action. Federal agencies have been given until March 13 to patch their systems, as mandated by Binding Operational Directive (BOD) 22-01, issued in November 2021.

A History of Exploitation

Roundcube vulnerabilities have long been a favorite target for both cybercrime groups and state-sponsored hackers. In recent years, the Winter Vivern (TA473) Russian hacking group exploited a stored XSS vulnerability (CVE-2023-5631) in zero-day attacks targeting European government entities. Similarly, the APT28 cyber-espionage group used the same flaw to breach Ukrainian government email systems. These incidents highlight the persistent threat posed by Roundcube vulnerabilities and the need for constant vigilance.

What You Need to Do

For organizations using Roundcube Webmail, the message is clear: patch immediately. If you’re a federal agency, compliance with CISA’s directive is mandatory. For others, the risk of exploitation is equally real, and delaying updates could leave your systems exposed to malicious actors.

Conclusion

The addition of these two vulnerabilities to CISA’s KEV Catalog is a stark reminder of the evolving cybersecurity landscape. As threat actors continue to exploit known vulnerabilities, the importance of timely patching and proactive security measures cannot be overstated. Whether you’re a federal agency or a private organization, the time to act is now.

Tags:

Cybersecurity #Roundcube #Webmail #CVE2025 #RCE #XSS #CISA #KEV #PatchNow #CyberThreat #FederalAgencies #Vulnerability #Exploitation #StateSponsored #Cybercrime #SecurityAlert #ZeroDay #GovernmentHack #EmailSecurity #CyberDefense

Viral Phrases:

• “Patch now or pay later!”
• “84,000+ systems at risk – are you one of them?”
• “CISA sounds the alarm: Act now!”
• “Roundcube under siege – your email could be next!”
• “Zero-day chaos: Hackers strike fast, patch faster!”
• “Federal agencies on high alert – is your system safe?”
• “From Russia with bugs: State-sponsored attacks exposed!”
• “SVG animations turn deadly: XSS strikes again!”
• “Don’t be the next victim – update Roundcube today!”
• “Cybersecurity wake-up call: Are you listening?”

,