CISA Adds Two Roundcube Flaws to KEV After Active Exploitation

CISA added two security flaws affecting Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog on February 20, 2026, after confirming active exploitation in the wild. Federal Civilian Executive Branch agencies now have until March 13, 2026, to apply patches or face non-compliance with BOD 22-01.

The more severe of the two—CVE-2025-49113—carries a CVSS score of 9.9 and allows authenticated users to achieve remote code execution through a deserialization of untrusted data vulnerability. The flaw stems from improper validation of the _from parameter in a URL within program/actions/settings/upload.php.

How Attackers Weaponized the Bug in 48 Hours

According to FearsOff, whose founder Kirill Firsov discovered and reported CVE-2025-49113, attackers diffed and weaponized the vulnerability within 48 hours of public disclosure. An exploit was reportedly offered for sale on cybercriminal forums by June 4, 2025—the same week the patch dropped.

What makes this particularly dangerous: the shortcoming triggers reliably on default Roundcube installations. Firsov noted the vulnerable code had been present in the codebase for over 10 years, suggesting millions of deployments could be running unpatched versions.

The second vulnerability, CVE-2025-68461, is a cross-site scripting flaw with a lower severity rating but still poses risks for session hijacking and credential theft when chained with social engineering.

Affected Versions and Remediation

Roundcube patched CVE-2025-49113 in June 2025, meaning organizations have had eight months to update. Yet the addition to CISA's KEV catalog signals that unpatched instances remain abundant targets.

Organizations running self-hosted Roundcube webmail should:

1. Update immediately to the latest stable release addressing both CVEs
2. Audit authentication logs for unusual upload activity or parameter manipulation
3. Restrict network access to webmail interfaces where possible
4. Enable web application firewalls with rules blocking malicious serialized payloads

This isn't the first time webmail platforms have landed in CISA's crosshairs. The agency previously flagged critical vulnerabilities in Zimbra and other collaboration tools that attackers exploited for initial access in corporate networks.

Why Webmail Remains a Prime Target

Enterprise webmail systems present attackers with a compelling combination: widespread deployment, often internet-facing exposure, and direct access to sensitive communications. A compromised webmail server provides both credential harvesting opportunities and a pivot point into internal networks.

Roundcube's open-source nature and popularity among organizations preferring self-hosted solutions make it an attractive target. Unlike managed email services with automatic patching, self-hosted deployments require manual intervention—creating windows where known vulnerabilities remain exploitable.

The deserialization attack class behind CVE-2025-49113 continues proving problematic across web applications. When applications deserialize untrusted data without proper validation, attackers can inject malicious objects that execute arbitrary code upon reconstruction. This pattern has plagued Java applications, PHP frameworks, and numerous CMS platforms over the years.

CISA's KEV Mandate in Practice

The CISA Known Exploited Vulnerabilities catalog represents the agency's most actionable threat intelligence. Unlike the broader CVE database, KEV entries are confirmed exploited in real attacks—not theoretical risks.

Under BOD 22-01, federal agencies must remediate KEV entries within agency-defined timelines, typically 14 days for critical infrastructure-impacting flaws. The March 13 deadline for these Roundcube vulnerabilities reflects that urgency.

Private sector organizations should treat KEV additions with similar priority. If CISA confirms active exploitation, threat actors are already scanning for vulnerable systems. The window between KEV publication and mass exploitation campaigns has compressed dramatically—sometimes measured in hours rather than days.

The Bigger Picture

Webmail vulnerabilities like these highlight the challenges organizations face managing internet-facing applications. For guidance on recognizing email-based threats that could exploit webmail systems, review our phishing email examples guide covering common attack patterns.

The Roundcube additions bring CISA's 2026 KEV total to over 50 entries in the first two months alone. Security teams should consider automated KEV monitoring to catch new additions immediately rather than discovering them through breach investigation.