On February 20, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) Catalog by adding two critical flaws in Roundcube Webmail.
These vulnerabilities, CVE-2025-49113 and CVE-2025-68461, are being actively exploited by threat actors.
Roundcube, a popular open-source webmail client used by organizations worldwide, now faces heightened risks as attackers target federal networks and beyond.
CISA’s move stems from evidence of real-world attacks, emphasizing the dangers of unpatched systems.
Deserialization bugs like CVE-2025-49113 allow attackers to execute arbitrary code remotely, while cross-site scripting (XSS) flaws like CVE-2025-68461 enable session hijacking and data theft.
Both pose severe threats to email servers handling sensitive data, making quick patches essential for email administrators.
Roundcube Vulnerabilities
Roundcube Webmail powers millions of installations, often in enterprise and hosting environments.
CVE-2025-49113 involves unsafe deserialization of untrusted data from user inputs, such as attachments or form fields.
Attackers can craft malicious payloads that, when processed, trigger remote code execution (RCE) without authentication.
This flaw affects versions before 1.6.10 and stems from improper input validation in the PHP deserialization handler.
CVE-2025-68461 is a stored XSS vulnerability in the message rendering engine. Malicious scripts injected via email content persist and execute in victims’ browsers, potentially stealing credentials or spreading further attacks.
| CVE ID | CVSS Score | Description |
|---|---|---|
| CVE-2025-49113 | 9.9 (Critical) | Deserialization of untrusted data leading to RCE via crafted inputs. |
| CVE-2025-68461 | 6.1 (Medium) | Stored XSS in email rendering, enabling session theft. |
Patched versions (1.6.10+) address these issues through enhanced input sanitization and serialization checks.
Exploit proofs surfaced on underground forums last month, with scans targeting exposed Roundcube instances spiking 300% per Shadowserver data.
According to CISA, this ties into Binding Operational Directive (BOD) 22-01, which mandates that Federal Civilian Executive Branch agencies patch KEV entries by set deadlines.
While aimed at government, CISA urges all organizations to prioritize these flaws. Unpatched servers risk ransomware, data breaches, or APT pivots into networks.
Admins should scan for exposed Roundcube instances using tools, update to 1.6.10 immediately, and enable Web Application Firewalls (WAFs) for interim protection.
Disable unnecessary plugins and review logs for suspicious deserialization errors or XSS payloads. Organizations, such as hosting providers, face heightened exposure due to multi-tenant setups.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
