RoundCube flaws are now being actively exploited in attacks, prompting a critical warning from the Cybersecurity and Infrastructure Security Agency (CISA). The agency has ordered U.S. federal agencies to immediately patch two recently identified vulnerabilities in Roundcube Webmail, a widely used web-based email client, within the next three weeks.
Roundcube Webmail has been the default mail interface for the popular cPanel web hosting control panel since 2008. The two vulnerabilities flagged by CISA pose a significant risk to systems and data.
The first vulnerability, a critical remote code execution flaw tracked as CVE-2025-49113, was initially flagged as exploited shortly after being patched in June 2025. At that time, security watchdog Shadowserver cautioned that over 84,000 Roundcube webmail installations were vulnerable to attacks.
The second vulnerability, CVE-2025-68461, was patched in December 2025. Roundcube warned that remote, unauthenticated attackers could exploit it through low-complexity cross-site scripting (XSS) attacks abusing the animate tag in SVG documents.
“We strongly recommend updating all productive installations of Roundcube 1.6.x and 1.5.x with these new versions,” the Roundcube security team stated upon releasing versions 1.6.12 and 1.5.12 to address this security flaw.
Shodan currently tracks over 46,000 Roundcube instances accessible on the internet. The exact number vulnerable to CVE-2025-49113 or CVE-2025-68461 attacks remains unknown.
CISA Adds RoundCube Flaws to Known Exploited Vulnerabilities Catalog
While CISA did not provide specific details on the attacks exploiting these two RoundCube flaws, the agency added them to its Known Exploited Vulnerabilities (KEV) Catalog, warning that they are “frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.”
CISA also tracks ten other Roundcube Webmail vulnerabilities that are either actively exploited in attacks or have been abused in the past.
Federal Agencies Ordered to Patch Immediately
The U.S. cybersecurity agency has ordered Federal Civilian Executive Branch (FCEB) agencies to secure their systems against these security bugs by March 13, as mandated by a binding operational directive (BOD 22-01) issued in November 2021. This directive underscores the urgency of addressing these RoundCube flaws.
Past Exploitation of Roundcube Vulnerabilities
Roundcube vulnerabilities have been a popular target for cybercrime and state-sponsored threat groups. A recent example is a stored cross-site scripting (XSS) vulnerability (CVE-2023-5631) exploited by the Winter Vivern (TA473) Russian hacking group in zero-day attacks targeting European government entities and by the Russian APT28 cyber-espionage group to breach Ukrainian government email systems. related Fraudulents news
The exploitation of these RoundCube flaws highlights the need for organizations to maintain up-to-date security patches and proactively monitor their systems for potential vulnerabilities. Regular security audits and prompt patching are essential to mitigate the risk of exploitation by malicious actors.
Addressing these RoundCube flaws is essential for maintaining secure email communications.
Source: BleepingComputer




