Patched RoundCube Flaws Actively Exploited, CISA Warns
▼ Summary
– CISA has ordered U.S. federal agencies to patch two actively exploited Roundcube Webmail vulnerabilities within three weeks.
– The first critical flaw (CVE-2025-49113) allows remote code execution and was exploited shortly after its June 2025 patch.
– The second flaw (CVE-2025-68461) is a cross-site scripting vulnerability patched in December 2025.
– Over 46,000 Roundcube instances are accessible online, though the exact number vulnerable to these flaws is unknown.
– Roundcube vulnerabilities are popular targets, with past exploits linked to Russian state-sponsored hacking groups.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive for federal agencies to patch two actively exploited vulnerabilities in Roundcube Webmail, a widely used web-based email client. These flaws, which pose a significant risk, must be addressed within a three-week deadline. This urgent action underscores the ongoing threat to email systems, which remain a prime target for both criminal and state-sponsored hacking groups.
The first critical vulnerability, identified as CVE-2025-49113, allows for remote code execution. Security researchers observed exploitation of this flaw mere days after a patch became available in June 2025. Initial warnings indicated that more than 84,000 Roundcube installations were exposed to potential attacks leveraging this security hole. The second issue, tracked as CVE-2025-68461, is a cross-site scripting (XSS) vulnerability that was patched in December 2025. Attackers can exploit it without authentication by using a low-complexity method involving the animate tag within SVG documents.
When releasing the fixes in versions 1.6.12 and 1.5.12, the Roundcube security team strongly urged administrators to update all production installations. They emphasized that applying these patches is crucial for securing systems. Current internet scans show over 46,000 accessible Roundcube instances, though the exact number vulnerable to these specific attacks remains unclear.
CISA has now formally added both vulnerabilities to its Known Exploited Vulnerabilities catalog, a clear signal that malicious actors are actively using them as attack vectors. The agency has given Federal Civilian Executive Branch agencies until March 13 to apply the necessary updates, a deadline enforced under a binding operational directive. This catalog also includes ten other Roundcube Webmail vulnerabilities that have been exploited in current or past campaigns.
Roundcube’s integration into popular hosting platforms has made it a persistent focus for attackers. Notably, a previous stored XSS flaw, CVE-2023-5631, was exploited in zero-day attacks by the Russian-aligned Winter Vivern group against European government entities. The same vulnerability was also used by the APT28 cyber-espionage group to compromise Ukrainian government email systems. This history demonstrates the consistent attention threat actors pay to this software, making prompt patching a critical component of any organization’s cybersecurity posture.
(Source: Bleeping Computer)
