ACCORDING to The U.S. Cybersecurity and Infrastructure Security Agency, two Roundcube webmail flaws have been added to the Known exploited Vulnerabilities (KEV) catalog, with evidence of active exploitation cited. The vulnerabilities are CVE-2025-49113, a deserialization leading to remote code execution (CVSS 9.9), and CVE-2025-68461, a cross-site scripting flaw via the animate tag in an SVG document (CVSS 7.2).
The flaws were publicised alongside notes that an exploit for CVE-2025-49113 was made available for sale on 4 June 2025, and that the issue can be triggered on default installations, with the vulnerability reportedly weaponised within 48 hours of disclosure, according to Dubai-based security firm FearsOff and Kirill Firsov. There are no details in the piece on who is behind the exploitation, though prior Roundcube flaws have been linked to nation-state actors such as APT28 and Winter Vivern, claims the article.
Federal Civilian Executive Branch agencies are to remediate identified vulnerabilities by 13 March 2026 to secure their networks against the active threat.