The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two recently patched Roundcube Webmail vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that both flaws are being actively exploited in the wild. Federal agencies have been ordered to remediate the issues within three weeks under Binding Operational Directive (BOD) 22-01.
Actively Exploited Roundcube Vulnerabilities
Roundcube Webmail is a widely deployed web-based email client and has served as the default mail interface for cPanel since 2008. Its extensive use across shared hosting environments makes it an attractive target for cybercriminal and state-sponsored actors.
CISA has flagged the following vulnerabilities as actively exploited:
CVE-2025-49113 – Critical Remote Code Execution (RCE)
CVE-2025-49113 is a critical remote code execution flaw that allows attackers to execute arbitrary code on vulnerable Roundcube installations. The vulnerability was publicly patched in June 2025, but exploitation activity was reported within days of the fix being released.
Security monitoring organization Shadowserver Foundation previously warned that over 84,000 internet-facing Roundcube instances were potentially exposed at the time. RCE vulnerabilities in webmail platforms are particularly dangerous because they can provide attackers with direct access to mail servers, sensitive communications, and backend systems.
CVE-2025-68461 – Unauthenticated Cross-Site Scripting (XSS)
The second flaw, CVE-2025-68461, was patched in December 2025. It allows remote, unauthenticated attackers to perform low-complexity cross-site scripting (XSS) attacks by abusing the animate tag within malicious SVG documents.
Exploitation of this vulnerability can lead to session hijacking, credential theft, and malicious script execution within a user’s browser. In environments where administrative accounts are targeted, successful XSS exploitation may facilitate privilege escalation or pave the way for further compromise.
The Roundcube security team strongly urged administrators to upgrade to versions 1.6.12 and 1.5.12, which address this issue.
CISA KEV Catalog Inclusion and Federal Mandate
Although CISA did not disclose detailed technical indicators of active exploitation, both vulnerabilities were added to the KEV Catalog, which tracks security flaws confirmed to be abused in real-world attacks. According to CISA, such vulnerabilities represent frequent attack vectors and pose significant risk to federal networks.
Under BOD 22-01, Federal Civilian Executive Branch (FCEB) agencies must remediate these vulnerabilities within three weeks. The directive reflects a broader federal push to enforce rapid patch management and reduce exposure to publicly known exploits.
Internet Exposure and Ongoing Risk
Internet scanning services currently identify more than 46,000 Roundcube instances accessible online. While it remains unclear how many are vulnerable to CVE-2025-49113 or CVE-2025-68461, the platform’s broad deployment footprint increases the likelihood of continued exploitation.
Roundcube has historically been a recurring target for threat actors. A notable example includes CVE-2023-5631, a stored XSS vulnerability exploited in zero-day campaigns by Winter Vivern (TA473) against European government entities and by APT28 in attacks targeting Ukrainian government email systems.
These incidents underscore the strategic value of webmail infrastructure for both cybercriminals and advanced persistent threat (APT) groups. Email platforms provide access to sensitive communications, authentication tokens, password reset workflows, and internal documentation—making them high-value targets within enterprise and government environments.
Security Best Practices for Roundcube Administrators
Organizations running Roundcube should immediately verify their deployed version and apply available security updates. Beyond patching, administrators should implement additional hardening measures, including:
- Restricting administrative access to trusted IP ranges
- Deploying web application firewalls (WAF) with XSS and RCE detection rules
- Enabling multi-factor authentication for webmail access
- Monitoring logs for anomalous login attempts or suspicious POST requests
- Conducting regular vulnerability scanning of internet-facing assets
Given the continued targeting of webmail platforms, proactive patch management, attack surface reduction, and continuous monitoring remain essential components of a resilient cybersecurity strategy.