CISA: Recently Patched RoundCube Flaws Now Exploited in Attacks

RoundCube Webmail, a widely used web-based email client, has been flagged by the US Cybersecurity and Infrastructure Security Agency (CISA) as having two critical vulnerabilities actively exploited in attacks. These flaws were patched in June 2025 but have already seen widespread exploitation days later. In this article, we'll delve into the details of these security breaches and what organizations can do to protect themselves.

The first vulnerability, CVE-2025-49113, is a remote code execution flaw that has been actively abused by threat actors. This critical flaw was identified in June 2025, just days after it was patched by RoundCube. According to Shadowserver, over 84,000 vulnerable Roundcube webmail installations were exposed to attacks due to this vulnerability. The second vulnerability, CVE-2025-68461, is a low-complexity cross-site scripting (XSS) attack that can exploit the animate tag in SVG documents.

Roundcube patched these vulnerabilities with versions 1.6.12 and 1.5.12, which address the security flaws. However, it's unclear how many of the over 46,000 Roundcube instances accessible on the internet are vulnerable to these attacks. While Shodan doesn't provide specific information on the number of vulnerable installations, CISA has added both CVE-2025-49113 and CVE-2025-68461 to its Known Exploited Vulnerabilities (KEV) Catalog.

CISA has warned that these vulnerabilities pose significant risks to federal enterprises and have ordered Federal Civilian Executive Branch agencies to secure their systems against them within three weeks. The agency's binding operational directive (BOD 22-01), issued in November 2021, requires agencies to take immediate action to address the identified security flaws.

The recent exploitation of Roundcube vulnerabilities highlights the importance of keeping software up-to-date and monitoring for known security bugs. In recent months, we've seen other high-profile vulnerabilities exploited by threat actors, including a five-year-old GitLab flaw that was recently targeted in attacks. CISA also flags critical SolarWinds RCE flaws as exploited in attacks and orders feds to patch MongoBleed flaw exploited in attacks.

As the future of IT infrastructure continues to move at a rapid pace, it's essential for organizations to stay informed about the latest security threats and vulnerabilities. By following best practices and staying ahead of emerging risks, your organization can reduce its exposure to cyber threats and protect sensitive data.

Conclusion

In conclusion, the recent exploitation of RoundCube vulnerabilities serves as a reminder of the importance of keeping software up-to-date and monitoring for known security bugs. CISA's efforts to raise awareness about these vulnerabilities are crucial in helping organizations stay ahead of emerging risks. By staying informed and taking proactive steps to secure their systems, federal agencies can reduce their exposure to cyber threats and protect sensitive data.

Keywords: RoundCube, vulnerability, malware, hacking, cybersecurity, data breach, CVE-2025-49113, CVE-2025-68461