The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially acknowledged the active exploitation of two critical security vulnerabilities affecting the widely used Roundcube webmail software. The agency added these flaws to its Known Exploited Vulnerabilities (KEV) catalog on February 21, 2026, prompting urgent patching efforts for organizations utilizing the affected software. This development underscores the persistent threat of unpatched vulnerabilities in widely deployed applications.
Roundcube, a popular open-source web-based email client, is employed by numerous organizations globally to manage their email communications. The inclusion of these vulnerabilities in CISA’s KEV catalog signifies that concrete evidence of active malicious exploitation has been identified, posing an immediate risk to networks.
Urgent Patch Management for Roundcube Vulnerabilities
The two vulnerabilities now listed under KEV are CVE-2025-49113 and CVE-2025-68461. CVE-2025-49113, a deserialization of untrusted data flaw with a critical CVSS score of 9.9, allows authenticated remote code execution. This critical issue stems from an unvalidated `_from` parameter within the `program/actions/settings/upload.php` file, enabling attackers to potentially compromise the entire system.
The second vulnerability, CVE-2025-68461, is a cross-site scripting (XSS) flaw with a CVSS score of 7.2. It is exploitable through the use of an animate tag within an SVG document, providing a pathway for attackers to inject malicious scripts into user sessions.
Exploitation Timeline and Impact
According to reports, CVE-2025-49113 was discovered by Kirill Firsov, founder and CEO of Dubai-based cybersecurity firm FearsOff. Firsov’s company stated that attackers began weaponizing the vulnerability within 48 hours of its public disclosure. An exploit for this flaw was reportedly offered for sale as early as June 4, 2025. Firsov emphasized that the vulnerability could be reliably triggered on default installations and had remained undetected in the codebase for over a decade.
While the specific actors behind the exploitation of these two Roundcube flaws remain undisclosed, the email software has a history of being targeted by sophisticated threat groups. Nation-state actors, including APT28 and Winter Vivern, have previously been linked to the weaponization of vulnerabilities within Roundcube, indicating a potential for high-impact attacks.
Mandatory Remediation for Federal Agencies
In response to the active exploitation and the heightened risk, CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies bring the affected Roundcube instances into compliance by March 13, 2026. This deadline highlights the urgency for these critical infrastructure entities to remediate the identified vulnerabilities to safeguard their networks from ongoing threats.
The inclusion of these Roundcube vulnerabilities in the KEV catalog serves as a critical alert for all organizations that utilize the webmail software. Proactive patch management and diligent security hygiene are paramount in mitigating the risks associated with known exploited vulnerabilities, which often represent the most immediate and severe threats to system security.
Organizations worldwide are strongly advised to review their Roundcube deployments and apply the necessary patches as soon as possible. Staying informed about CISA’s KEV catalog and prioritizing the remediation of listed vulnerabilities is a cornerstone of effective cybersecurity defense against evolving threats, including those targeting widely deployed webmail solutions.