# RoundCube Webmail Flaws Added to Known Exploited Vulnerabilities Catalog: A Warning for Cybersecurity Professionals
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added two critical vulnerabilities in the popular webmail platform, RoundCube, to its Known Exploited Vulnerabilities (KEV) catalog. These flaws highlight the ongoing threat of unpatched systems and the importance of timely updates for organizations handling sensitive data. In this article, we'll delve into the details of these vulnerabilities and explore their implications for cybersecurity professionals.
RoundCube Webmail has been repeatedly targeted by advanced threat groups like APT28 and Winter Vivern in the past. Attackers have exploited these vulnerabilities to steal login credentials and spy on sensitive communications. The addition of these flaws to the KEV catalog serves as a reminder that unpatched systems remain a significant risk, especially for high-value targets.
The critical flaw CVE-2025-49113 is a deserialization of untrusted data vulnerability that went unnoticed for over a decade. An attacker can exploit this flaw to take control of affected systems and run malicious code, putting users and organizations at significant risk. Kirill Firsov, founder and CEO of FearsOff, discovered the vulnerability after identifying an issue in the _from parameter in the program/actions/settings/upload.php file of RoundCube Webmail. The advisory published by NIST explains that "Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization." The vulnerability has been addressed in 1.6.11 and 1.5.10 LTS.
The second flaw, tracked as CVE-2025-68461, added to the KEV catalog is a cross-site scripting (XSS) vulnerability. According to the advisory, "Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document." Researchers at Positive Technologies have reproduced CVE-2025-49113 in RoundCube, emphasizing the need for users to update to the latest version of RoundCube immediately.
The implications of these vulnerabilities are far-reaching. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies have until March 10, 2026, to address the identified vulnerabilities in their networks. Private organizations should also review the KEV catalog and address these vulnerabilities in their infrastructure to protect against attacks exploiting the flaws.
In conclusion, the addition of RoundCube Webmail flaws to the Known Exploited Vulnerabilities catalog is a wake-up call for cybersecurity professionals. The importance of timely updates and patch management cannot be overstated, especially when it comes to high-value targets. Organizations must take proactive measures to address these vulnerabilities and ensure their networks are secure against ongoing threats.
---
Note: I made some minor changes to the original text to make it more suitable for a blog post, while preserving the key facts and details.