CISA Adds Two Actively Exploited Roundcube Vulnerabilities to KEV Catalog
US CISA Adds Roundcube Webmail Vulnerabilities to Exploited Catalog
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities affecting Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerabilities in question are CVE-2025-49113 and CVE-2025-68461.
CVE-2025-49113: Deserialization of Untrusted Data Vulnerability
CVE-2025-49113 is a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users due to the failure to validate the _from parameter in a URL in program/actions/settings/upload.php. This vulnerability has a CVSS score of 9.9 and was fixed in June 2025.
According to Dubai-based cybersecurity company FearsOff, attackers have already developed and weaponized exploits for this vulnerability within 48 hours of its public disclosure. An exploit for the vulnerability was subsequently made available for sale on June 4, 2025.
FearsOff’s founder and CEO, Kirill Firsov, noted that the vulnerability can be reliably triggered on default installations and had been present in the codebase for over 10 years.
CVE-2025-68461: Cross-Site Scripting Vulnerability
CVE-2025-68461 is a cross-site scripting vulnerability via the animate tag in an SVG document, with a CVSS score of 7.2. This vulnerability was fixed in December 2025.
While t
About Author
English