U.S. CISA Adds RoundCube Webmail Flaws to Its Known Exploited Vulnerabilities Catalog

RoundCube Webmail remains a staple for hosting providers, yet its popularity makes it a lucrative target for nation‑state actors such as APT28 and Winter Vivern. The newly cataloged CVE‑2025‑49113 exploits a deserialization weakness in the _from parameter, allowing authenticated attackers to execute arbitrary PHP code. With a near‑maximum CVSS rating of 9.9, the vulnerability can compromise entire mail servers, granting access to sensitive communications and potentially serving as a foothold for broader network infiltration.

The second entry, CVE‑2025‑68461, introduces a cross‑site scripting vector via an SVG animate tag. Though its CVSS score of 7.2 is lower, XSS attacks can still harvest credentials, inject malicious payloads, and facilitate phishing campaigns against end users. Both flaws affect legacy versions of RoundCube that many organizations still run due to inertia or compatibility concerns, underscoring the importance of timely updates. The vendor’s patches—1.5.10 LTS and 1.6.11—address the issues, but adoption rates remain uncertain across the fragmented hosting ecosystem.

CISA’s inclusion of these vulnerabilities in the KEV catalog signals heightened federal scrutiny and a clear deadline for remediation. Agencies are required to patch by March 10, 2026, while private entities are advised to audit their mail infrastructure against the catalog and prioritize updates. This move reflects a broader governmental push to reduce the attack surface of widely deployed open‑source software, emphasizing that neglecting legacy webmail platforms can expose organizations to severe operational and reputational damage.