U .S. CISA has added RoundCube Webmail flaws to its Known Exploited Vulnerabilities catalog, highlighting two CVEs: CVE-2025-49113 with a CVSS score of 9.9 and CVE-2025-68461 with a CVSS score of 7.2. The critical CVE-2025-49113 is described as a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users, and it has been addressed in Roundcube versions 1.6.11 and 1.5.10 LTS.
The second flaw, CVE-2025-68461, is a cross-site scripting vulnerability affecting RoundCube Webmail prior to 1.5.12 and 1.6 before 1.6.12. According to the advisory, RoundCube has been repeatedly targeted by threat groups such as APT28 and Winter Vivern, with past campaigns stealing login credentials and spying on communications.
At the time of discovery, Kirill Firsov, founder and CEO of FearsOff, estimated the flaw could impact over 53 million hosts, and researchers at Positive Technologies have reproduced CVE-2025-49113 in RoundCube; agencies are urged to update and address the vulnerabilities, with CISA ordering federal agencies to fix them by 10 March 2026 under BOD 22-01 guidance.