108/69 Monday, February 23, 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities affecting Roundcube Webmail to its Known Exploited Vulnerabilities (KEV) catalog after confirming evidence of active exploitation. The vulnerabilities include:
- CVE-2025-49113 (CVSS 9.9): A deserialization vulnerability that allows authenticated users to execute remote code (RCE).
- CVE-2025-68461 (CVSS 7.2): A Cross-Site Scripting (XSS) vulnerability triggered via the
<animate>tag in SVG image files.
Security firm FearsOff, which discovered CVE-2025-49113, reported that attackers were able to analyze and weaponize the vulnerability within just 48 hours of public disclosure. The flaw had reportedly existed in the software’s source code for more than 10 years and could be exploited even in default installations, highlighting the widespread risk to organizations running unpatched Roundcube instances. Security updates addressing the issue were released in mid- and late-2025.
At present, the threat actors behind the exploitation of these vulnerabilities have not been definitively identified. However, Roundcube has historically been a frequent target of nation-state threat groups, including APT28 and Winter Vivern. CISA has mandated that Federal Civilian Executive Branch (FCEB) agencies remediate the vulnerabilities by March 13, 2026, and strongly advises private-sector administrators to promptly review and update their Roundcube deployments to the latest available versions.
Source https://thehackernews.com/2026/02/cisa-adds-two-actively-exploited.html
