The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Friday added two safety flaws impacting Roundcube webmail software program to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation.
The vulnerabilities in query are listed beneath –
- CVE-2025-49113 (CVSS rating: 9.9) – A deserialization of untrusted information vulnerability that permits distant code execution by authenticated customers as a result of the _from parameter in a URL will not be validated in program/actions/settings/add.php. (Mounted in June 2025)
- CVE-2025-68461 (CVSS rating: 7.2) – A cross-site scripting vulnerability through the animate tag in an SVG doc. (Mounted in December 2025)
Dubai-based cybersecurity firm FearsOff, whose founder and CEO, Kirill Firsov, was credited with discovering and reporting CVE-2025-49113, stated attackers have already “diffed and weaponized the vulnerability” inside 48 hours of public disclosure of the flaw. An exploit for the vulnerability was subsequently made obtainable on the market on June 4, 2025.
Firsov additionally famous that the shortcoming will be triggered reliably on default installations, and that it had been hidden within the codebase for over 10 years.
There aren’t any particulars on who’s behind the exploitation of the 2 Roundcube flaws. However a number of vulnerabilities within the electronic mail software program have been weaponized by nation-state risk actors like APT28 and Winter Vivern.
Federal Civilian Government Department (FCEB) businesses are to remediate recognized vulnerabilities by March 13, 2026, to safe their networks towards the lively risk.
Elevate your perspective with NextTech Information, the place innovation meets perception.
Uncover the most recent breakthroughs, get unique updates, and join with a world community of future-focused thinkers.
Unlock tomorrow’s traits at this time: learn extra, subscribe to our e-newsletter, and turn into a part of the NextTech neighborhood at NextTech-news.com
