The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Friday added two security flaws impacting Roundcube webmail software program to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation.
The vulnerabilities in query are listed beneath –
- CVE-2025-49113 (CVSS rating: 9.9) – A deserialization of untrusted information vulnerability that permits distant code execution by authenticated customers as a result of the _from parameter in a URL will not be validated in program/actions/settings/add.php. (Fastened in June 2025)
- CVE-2025-68461 (CVSS rating: 7.2) – A cross-site scripting vulnerability by way of the animate tag in an SVG doc. (Fastened in December 2025)
Dubai-based cybersecurity firm FearsOff, whose founder and CEO, Kirill Firsov, was credited with discovering and reporting CVE-2025-49113, mentioned attackers have already “diffed and weaponized the vulnerability” inside 48 hours of public disclosure of the flaw. An exploit for the vulnerability was subsequently made out there on the market on June 4, 2025.
Firsov additionally famous that the shortcoming will be triggered reliably on default installations, and that it had been hidden within the codebase for over 10 years.
There are not any particulars on who’s behind the exploitation of the 2 Roundcube flaws. However a number of vulnerabilities within the electronic mail software program have been weaponized by nation-state risk actors like APT28 and Winter Vivern.
Federal Civilian Government Department (FCEB) businesses are to remediate recognized vulnerabilities by March 13, 2026, to safe their networks in opposition to the lively risk.
