Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added two security flaws impacting Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerabilities in question are listed below - CVE-2025-49113 (CVSS score: 9.9) - A deserialization of untrusted data vulnerability that allows remote code
Analysis Summary
# Vulnerability: Active Exploitation of Roundcube Webmail (RCE and XSS)
## CVE Details
- **CVE ID:** CVE-2025-49113 / CVE-2025-68461
- **CVSS Score:** 9.9 (Critical) / 7.2 (High)
- **CWE:** CWE-502 (Deserialization of Untrusted Data) / CWE-79 (Cross-site Scripting)
## Affected Systems
- **Products:** Roundcube Webmail
- **Versions:**
- **CVE-2025-49113:** All versions prior to June 2025 (reportedly persistent in codebase for over 10 years).
- **CVE-2025-68461:** Versions prior to 1.6.12 and 1.5.12.
- **Configurations:** Default installations are confirmed to be vulnerable. CVE-2025-49113 requires an authenticated user session.
## Vulnerability Description
- **CVE-2025-49113:** A critical deserialization flaw exists in `program/actions/settings/upload.php`. The application fails to validate the `_from` parameter in a URL, allowing an authenticated attacker to trigger remote code execution (RCE) via untrusted data deserialization.
- **CVE-2025-68461:** A stored cross-site scripting (XSS) vulnerability exists due to improper handling of the `<animate>` tag within SVG documents. This allows attackers to inject malicious scripts into the webmail interface.
## Exploitation
- **Status:** Exploited in the wild (Both added to CISA KEV on Feb 21, 2026).
- **Complexity:** Low (Triggerable on default installations; CVE-2025-49113 was "weaponized" within 48 hours of disclosure).
- **Attack Vector:** Network.
- **PoC Availability:** Exploit for CVE-2025-49113 was observed being offered for sale as of June 4, 2025.
## Impact
- **Confidentiality:** High (Full access to emails and server data via RCE).
- **Integrity:** High (Ability to modify mail data or system files).
- **Availability:** High (Potential for full system takeover or service disruption).
## Remediation
### Patches
- **CVE-2025-49113:** Apply updates released in June 2025.
- **CVE-2025-68461:** Update to Roundcube **1.6.12** or **1.5.12** (released December 2025).
### Workarounds
- No specific workarounds were provided; immediate patching is mandatory for compliance with CISA directives (FCEB agencies must remediate by March 13, 2026).
## Detection
- **Indicators of Compromise:** Monitor web server logs for suspicious requests to `upload.php` involving the `_from` parameter. Inspect SVG attachments containing the `<animate>` tag.
- **Tools:** Use vulnerability scanners to identify outdated Roundcube versions. Review CISA KEV updates for associated threat actor behavior (historically targeted by APT28 and Winter Vivern).
## References
- CISA KEV Catalog: hxxps[://]www.cisa.gov/known-exploited-vulnerabilities-catalog
- Roundcube Security Advisory: hxxps[://]roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12
- Researcher Analysis (FearsOff): hxxps[://]fearsoff.org/research/roundcube
- News Source: hxxps[://]thehackernews.com/2026/02/cisa-adds-two-actively-exploited.html