ACCORDING to CISA, two RoundCube Webmail vulnerabilities were being exploited in the wild, including CVE-2025-49113, a post-authentication remote code execution issue that was added to KEV, and CVE-2025-68461, a high-severity flaw patched in December 2025. The exploit activity targeted RoundCube Webmail across government and enterprise networks, with threat actors developing code to abuse these flaws within days of public disclosure.
CVE-2025-49113 was patched on 1 June 2025 and affects versions 1.1.0 through 1.6.10, enabling attackers to include a payload in file names during upload, potentially injecting data into the current session. The XSS vulnerability CVE-2025-68461 is exploitable via the animate tag in an SVG document and was resolved in Webmail versions 1.6.12 and 1.5.12.
CISA has urged federal agencies to patch both vulnerabilities within three weeks under Binding Operational Directive 22-01, and recommends organisations review KEV and prioritise addressing the listed security defects.