RoundCube Webmail Vulnerability Exploited in Recent Attacks
RoundCube Webmail Vulnerability Exploited by Attackers
A recently disclosed vulnerability in RoundCube Webmail has been exploited by attackers, prompting a warning from the US Cybersecurity and Infrastructure Security Agency (CISA).
Vulnerability Details
RoundCube Webmail is a widely used email client in government and enterprise networks, making it a prime target for hackers.
The vulnerability, tracked as CVE-2025-49113, is a post-authentication remote code execution (RCE) issue with a CVSS score of 9.9. It was introduced over a decade ago and affects all RoundCube versions 1.1.0 through 1.6.10.
The flaw allows attackers to inject malicious code into the current session by including a payload in the name of files to be uploaded.
Exploit and Patch
The vulnerability was patched on June 1, 2025, but threat actors quickly developed exploit code, claiming that the required credentials could be brute-forced.
In addition to CVE-2025-49113, CISA warned that threat actors have also been exploiting CVE-2025-68461, a high-severity vulnerability with a CVSS score of 7.2.
This flaw, an XSS issue, was patched in December 2025 in Webmail versions 1.6.12 and 1.5.12.
The vulnerability allows attackers to execute code in the context of the victim’s browser session without user interaction by embedding malicious payloads in the animate tag of an SVG document.
CISA Warning and Recommendations
CISA has urged federal agencies to patch both vulnerabilities within three weeks, as mandated by Binding Operational Directive (BOD) 22-01.
All organizations are advised to review CISA’s Known Exploited Vulnerabilities (KEV) catalog and prioritize addressing the security defects it contains.
Importance of Timely Patching
About Author
English