Recently Patched RoundCube Flaws Now Exploited in Attacks
Summary:
CISA has added two actively exploited Roundcube Webmail vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, flagging them as significant threats to both federal and private sector infrastructure.
The first, CVE-2025-49113 (CVSS 9.9), is a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users due to the _from parameter not being validated in program/actions/settings/upload[.]php, patched in June 2025. CVE-2025-49113 had been hidden in the codebase for over 10 years, and attackers weaponized it within 48 hours of public disclosure, with an exploit made available for sale by June 4, 2025.
The second, CVE-2025-68461 (CVSS 7.2), is a cross-site scripting vulnerability that allows remote, unauthenticated attackers to exploit the animate tag in SVG documents, patched in December 2025.
Security Officer Comments:
Roundcube is the default mail interface for the widely used cPanel web hosting control panel and has been a repeated target for advanced threat actors, with Shodan currently tracking over 46,000 instances accessible on the internet.
The consequences of exploitation are serious, CVE-2025-49113 enables full remote code execution, while CVE-2025-68461 allows malicious scripts delivered via email to execute in victims' browsers, enabling credential theft and potential lateral movement.
Past Roundcube vulnerabilities have been weaponized by nation-state groups including APT28 and Winter Vivern, who exploited similar flaws to breach Ukrainian government email systems and target European government entities. Although attribution for these specific CVEs has not been confirmed, the historical pattern strongly suggests state-sponsored actors remain the primary threat.
MSP Impact:
MSPs that host webmail infrastructure, particularly those running cPanel-based hosting, are likely managing Roundcube deployments for dozens or hundreds of clients from a shared or segmented infrastructure. A single unpatched instance doesn't just expose one organization; it creates a foothold that could be used to pivot laterally across client environments, especially if authentication, DNS, or billing systems are shared or co-located.
The XSS vulnerability (CVE-2025-68461) is particularly dangerous in MSP contexts because MSP staff and helpdesk personnel routinely access client email systems for support purposes. A malicious email triggering the XSS payload in an MSP technician's browser session could yield high-privilege credentials that span multiple client tenants, a significantly higher-value target than a single-organization compromise.
One of the core challenges for MSPs is that CVE-2025-49113 was weaponized within 48 hours of disclosure and an exploit was on sale within days. MSPs managing large client fleets may not have the patch cadence to respond that quickly at scale, meaning the window of exposure across their portfolio can be significantly longer than for a single-org IT team.
Suggested Corrections:
CISA has ordered Federal Civilian Executive Branch agencies to patch both vulnerabilities by March 13, 2026, under Binding Operational Directive BOD 22-01, and strongly recommends private organizations address them as well.
Organizations should immediately update to Roundcube 1.6.12 or later (which addresses both flaws) and audit any internet-exposed instances. Additionally, it is advisable to limit Roundcube access to internal networks or VPNs where feasible, add detection rules for suspicious serialization activity, integrate alerts into SIEM workflows, and ensure tested backups and an incident response playbook covering mail-server compromise are in place.
Link(s):
https://www.bleepingcomputer.com/ne...hed-roundcube-flaws-now-exploited-in-attacks/
CISA has added two actively exploited Roundcube Webmail vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, flagging them as significant threats to both federal and private sector infrastructure.
The first, CVE-2025-49113 (CVSS 9.9), is a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users due to the _from parameter not being validated in program/actions/settings/upload[.]php, patched in June 2025. CVE-2025-49113 had been hidden in the codebase for over 10 years, and attackers weaponized it within 48 hours of public disclosure, with an exploit made available for sale by June 4, 2025.
The second, CVE-2025-68461 (CVSS 7.2), is a cross-site scripting vulnerability that allows remote, unauthenticated attackers to exploit the animate tag in SVG documents, patched in December 2025.
Security Officer Comments:
Roundcube is the default mail interface for the widely used cPanel web hosting control panel and has been a repeated target for advanced threat actors, with Shodan currently tracking over 46,000 instances accessible on the internet.
The consequences of exploitation are serious, CVE-2025-49113 enables full remote code execution, while CVE-2025-68461 allows malicious scripts delivered via email to execute in victims' browsers, enabling credential theft and potential lateral movement.
Past Roundcube vulnerabilities have been weaponized by nation-state groups including APT28 and Winter Vivern, who exploited similar flaws to breach Ukrainian government email systems and target European government entities. Although attribution for these specific CVEs has not been confirmed, the historical pattern strongly suggests state-sponsored actors remain the primary threat.
MSP Impact:
MSPs that host webmail infrastructure, particularly those running cPanel-based hosting, are likely managing Roundcube deployments for dozens or hundreds of clients from a shared or segmented infrastructure. A single unpatched instance doesn't just expose one organization; it creates a foothold that could be used to pivot laterally across client environments, especially if authentication, DNS, or billing systems are shared or co-located.
The XSS vulnerability (CVE-2025-68461) is particularly dangerous in MSP contexts because MSP staff and helpdesk personnel routinely access client email systems for support purposes. A malicious email triggering the XSS payload in an MSP technician's browser session could yield high-privilege credentials that span multiple client tenants, a significantly higher-value target than a single-organization compromise.
One of the core challenges for MSPs is that CVE-2025-49113 was weaponized within 48 hours of disclosure and an exploit was on sale within days. MSPs managing large client fleets may not have the patch cadence to respond that quickly at scale, meaning the window of exposure across their portfolio can be significantly longer than for a single-org IT team.
Suggested Corrections:
CISA has ordered Federal Civilian Executive Branch agencies to patch both vulnerabilities by March 13, 2026, under Binding Operational Directive BOD 22-01, and strongly recommends private organizations address them as well.
Organizations should immediately update to Roundcube 1.6.12 or later (which addresses both flaws) and audit any internet-exposed instances. Additionally, it is advisable to limit Roundcube access to internal networks or VPNs where feasible, add detection rules for suspicious serialization activity, integrate alerts into SIEM workflows, and ensure tested backups and an incident response playbook covering mail-server compromise are in place.
Link(s):
https://www.bleepingcomputer.com/ne...hed-roundcube-flaws-now-exploited-in-attacks/