U.S. CISA adds RoundCube Webmail flaws to its Known Exploited Vulnerabilities catalog

AndyC 22 February 2026

U.S. CISA adds RoundCube Webmail flaws to its Known Exploited Vulnerabilities catalog

U.S. CISA adds RoundCube Webmail flaws to its Known Exploited Vulnerabilities catalog

U.S. CISA adds RoundCube Webmail flaws to its Known Exploited Vulnerabilities catalog

U.S. CISA adds RoundCube Webmail flaws to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini
February 21, 2026

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds RoundCube Webmail flaws to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two RoundCube Webmail flaws to its Known Exploited Vulnerabilities (KEV) catalog.

Below are the flaws added to the catalog:

  • CVE-2025-49113 (CVSS score of 9.9) RoundCube Webmail Deserialization of Untrusted Data Vulnerability
  • CVE-2025-68461 (CVSS score: 7.2) RoundCube Webmail Cross-site Scripting Vulnerability

Roundcube is a popular webmail platform and has been repeatedly targeted by advanced threat groups like APT28 and Winter Vivern. In the past, attackers exploited these vulnerabilities to steal login credentials and spy on sensitive communications. These campaigns show how unpatched systems remain a serious risk, especially for high-value targets.

The critical flaw CVE-2025-49113 is a deserialization of untrusted data vulnerability. The flaw went unnoticed for over a decade, an attacker can exploit it to take control of affected systems and run malicious code, putting users and organizations at significant risk. Kirill Firsov, founder and CEO of FearsOff, discovered the vulnerability.

“Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.” reads the advisory published by NIST.

The vulnerability has been addressed in 1.6.11 and 1.5.10 LTS.

At the time of the discovery, Firsov estimated that the flaw was impacting over 53 million hosts (and tools like cPanel, Plesk, ISPConfig, DirectAdmin, etc.),

Researchers at Positive Technologies announced they have reproduced CVE-2025-49113 in Roundcube. The experts urge users to update to the latest version of Roundcube immediately.

The second flaw, tracked as CVE-2025-68461, added to the Kev catalog is a cross-site scripting vulnerability.

“Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.” reads the advisory.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerabilities by March 10, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , , , , , ,

More Stories

Spanish police say they have arrested hacker who booked luxury hotel rooms for just one cent

PayPal discloses extended data leak linked to Loan App glitch

AndyC 21 February 2026
North Korean IT worker scam nets Ukrainian five-year sentence in the U.S.

North Korean IT worker scam nets Ukrainian five-year sentence in the U.S.

AndyC 21 February 2026
FBI warns of surge in ATM Jackpotting, Million lost in 2025

FBI warns of surge in ATM Jackpotting, $20 Million lost in 2025

AndyC 21 February 2026
Red Card 2.0: INTERPOL busts scam networks across Africa, seizes millions

Red Card 2.0: INTERPOL busts scam networks across Africa, seizes millions

AndyC 21 February 2026
Agentic AI in Cybersecurity is a Smarter, Faster Path to Resilience

PromptSpy abuses Gemini AI to gain persistent access on Android

AndyC 21 February 2026
Germany’s national rail operator Deutsche Bahn hit by a DDoS attack

Germany’s national rail operator Deutsche Bahn hit by a DDoS attack

AndyC 20 February 2026

You may have missed

This Week in Scams: AI Search Traps, a Fintech Breach, and a $12M Louvre Hustle

AndyC 22 February 2026
U.S. CISA adds RoundCube Webmail flaws to its Known Exploited Vulnerabilities catalog

U.S. CISA adds RoundCube Webmail flaws to its Known Exploited Vulnerabilities catalog

AndyC 22 February 2026
Anthropic Launches Claude Code Security for AI-Powered Vulnerability Scanning

Anthropic Launches Claude Code Security for AI-Powered Vulnerability Scanning

AndyC 22 February 2026
CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog

CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog

AndyC 22 February 2026
EC-Council Expands AI Certification Portfolio to Strengthen U.S. AI Workforce Readiness and Security

EC-Council Expands AI Certification Portfolio to Strengthen U.S. AI Workforce Readiness and Security

AndyC 22 February 2026

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.