CISA Adds Critical Roundcube RCE and XSS Flaws to KEV Catalog

CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog

CISA has added two critical vulnerabilities in the Roundcube webmail software to its Known Exploited Vulnerabilities catalog following reports of active weaponization. The most severe flaw, CVE-2025-49113, carries a CVSS score of 9.9 and was weaponized within 48 hours of its disclosure.

Why This Matters

While ideal software development models emphasize input validation and secure deserialization, CVE-2025-49113 highlights the technical reality of legacy codebases, where a lack of validation in upload.php remained hidden for over 10 years. This gap between theoretical security and active exploitation is frequently bridged by nation-state actors like APT28, turning unpatched default installations into immediate entry points for remote code execution.

Key Insights

• CVE-2025-49113 is a 9.9-rated deserialization vulnerability in program/actions/settings/upload.php reported by FearsOff in 2025.
• Threat actors weaponized the Roundcube RCE flaw within 48 hours of public disclosure, with exploits appearing for sale by June 4, 2025.
• Roundcube has historically been a target for nation-state threat groups including APT28 and Winter Vivern.
• CVE-2025-68461 is a 7.2-rated XSS vulnerability triggered via animate tags in SVG documents, fixed in December 2025.
• The Federal Civilian Executive Branch (FCEB) must remediate these vulnerabilities by March 13, 2026.

Practical Applications

• Use Case: FCEB agencies must patch Roundcube instances before March 2026 to prevent RCE. Pitfall: Relying on default installations without checking for the 10-year-old unvalidated _from parameter leads to reliable exploitation.
• Use Case: Security teams should sanitize SVG uploads to mitigate CVE-2025-68461. Pitfall: Allowing animate tags in user-supplied SVG content enables cross-site scripting attacks.

References:

• http://thehackernews.com/2026/02/cisa-adds-two-actively-exploited.html