CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog

Source: The Hacker News

Vulnerabilities Added to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two actively exploited vulnerabilities affecting Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of ongoing exploitation.

• CVE‑2025‑49113 – CVSS 9.9
  Deserialization of untrusted data that enables remote code execution by authenticated users because the from parameter in program/actions/settings/upload.php is not validated. Fixed in the June 2025 release.

• CVE‑2025‑68461 – CVSS 7.2
  Cross‑site scripting via the animate tag in an SVG document. Fixed in the December 2025 release.

Exploitation Activity

Dubai‑based cybersecurity firm FearsOff, whose founder Kirill Firsov reported CVE‑2025‑49113, confirmed that attackers had “diffed and weaponized the vulnerability” within 48 hours of its public disclosure. An exploit was subsequently made available for sale on June 4 2025.

Firsov noted that the flaw can be reliably triggered on default installations and had been hidden in the codebase for over ten years. While the specific actors behind the current exploitation are unknown, multiple Roundcube vulnerabilities have previously been weaponized by nation‑state groups such as APT28 and Winter Vivern.

Remediation Timeline

Federal Civilian Executive Branch (FCEB) agencies are required to remediate the identified vulnerabilities by March 13 2026 to protect their networks against the active threat.