CISA Adds Actively Exploited Roundcube Webmail Vulnerabilities to KEV Catalog
CISA added two Roundcube Webmail vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation: CVE-2025-49113 (CVSS 9.9), a deserialization issue enabling authenticated remote code execution due to improper validation of the _from URL parameter in program/actions/settings/upload.php, and CVE-2025-68461 (CVSS 7.2), an XSS flaw involving the animate tag in an SVG document. CISA directed U.S. Federal Civilian Executive Branch (FCEB) agencies to remediate by 2026-03-13, and advised applying vendor mitigations per guidance (or discontinuing use if mitigations are unavailable).
The KEV repository updates for 2026-02-20 reflect both Roundcube entries, including mappings to CWE-502 (deserialization) and CWE-79 (XSS) and links to Roundcube advisories/releases. Reporting also noted that researchers observed rapid attacker uptake of CVE-2025-49113 after disclosure, including claims that attackers quickly “diffed and weaponized” the bug and that exploit access was offered for sale shortly after. Separate reporting about BeyondTrust Remote Support/Privileged Remote Access (CVE-2026-1731) describes a different KEV addition and is not part of the Roundcube event.
Timeline
Feb 23, 2026
Nuclei template released for detecting CVE-2025-68461 exposure
A ProjectDiscovery pull request added a Nuclei template to identify Roundcube instances vulnerable to CVE-2025-68461 by checking the exposed rcversion value. The template targeted versions earlier than 1.5.12 and 1.6.12.
Feb 20, 2026
CISA KEV update expands with additional exploited products
On the same February 20, 2026 KEV update cycle, CISA's catalog also included exploited vulnerabilities affecting GitLab, Dell RecoverPoint for Virtual Machines, and Synacor Zimbra Collaboration Suite. The catalog version increased from 2026.02.19 to 2026.02.20 and the total count rose from 1524 to 1526.
Feb 20, 2026
CISA adds two Roundcube flaws to the KEV catalog
CISA updated its Known Exploited Vulnerabilities catalog to add Roundcube Webmail flaws CVE-2025-49113 and CVE-2025-68461 based on evidence of active exploitation. The update was published on February 20, 2026, and set a federal remediation deadline in mid-March 2026.
Dec 1, 2025
Roundcube patches CVE-2025-68461 XSS flaw
Roundcube fixed CVE-2025-68461, an SVG animate tag cross-site scripting vulnerability, in versions 1.6.12 and 1.5.12. Reporting indicates the patch was released in December 2025.
Jun 4, 2025
Attackers weaponize CVE-2025-49113 after disclosure
Researchers at FearsOff said attackers weaponized the Roundcube CVE-2025-49113 flaw within 48 hours of its public disclosure. This showed the vulnerability quickly moved from disclosure to active offensive use.
Jun 4, 2025
Exploit for CVE-2025-49113 offered for sale
An exploit targeting Roundcube CVE-2025-49113 was reportedly offered for sale shortly after disclosure. One report places this sale on June 4, 2025, indicating rapid weaponization interest.
Jun 1, 2025
Roundcube patches CVE-2025-49113 remote code execution flaw
Roundcube released fixes for CVE-2025-49113, a deserialization vulnerability that can lead to authenticated remote code execution, in versions 1.6.11 and 1.5.10 LTS. Multiple reports state the flaw was patched on June 1, 2025.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Affected Products
Sources
5 more from sources like nuclei templates pull requests, security affairs, the hacker news and cisa kev data commits
Related Stories
CISA Flags Actively Exploited Vulnerabilities as KEV Adds Expand to BeyondTrust and Roundcube
CISA updated its *Known Exploited Vulnerabilities (KEV) Catalog* to reflect **active exploitation** of a previously patched **BeyondTrust** remote code execution flaw, **CVE-2026-1731** (CVSS 9.9), which has now been tied to **ransomware activity**. Reporting also cited third-party telemetry indicating an increase in exploitation attempts, and emphasized that because BeyondTrust commonly sits in **identity/privileged access** paths, successful RCE can rapidly translate into broad enterprise compromise; recommended mitigations included immediate patching and, if patching is not immediately possible, taking the affected portal offline or tightly restricting access. Separately, CISA also announced the addition of two **Roundcube Webmail** vulnerabilities to the KEV Catalog based on evidence of active exploitation: **CVE-2025-49113** (deserialization of untrusted data) and **CVE-2025-68461** (cross-site scripting). CISA reiterated that under **BOD 22-01**, U.S. Federal Civilian Executive Branch agencies must remediate KEV-listed issues by mandated deadlines, and urged all organizations to prioritize remediation of KEV entries as a high-signal indicator of real-world exploitation risk.
1 months ago
CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, reinforcing that these issues are being used as real-world attack vectors and should be prioritized for remediation. The newly listed CVEs are **CVE-2018-14634** (Linux kernel integer overflow / local privilege escalation), **CVE-2025-52691** (SmarterTools *SmarterMail* unrestricted file upload enabling RCE), **CVE-2026-21509** (Microsoft Office security feature bypass), **CVE-2026-23760** (SmarterTools *SmarterMail* authentication bypass via alternate path/channel), and **CVE-2026-24061** (GNU *InetUtils* argument injection). CISA reiterated that these vulnerability classes are frequently leveraged by threat actors and pose material risk to enterprise environments. Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed vulnerabilities by CISA-specified due dates, and CISA urged all organizations to treat KEV entries as high-priority items in vulnerability management. Additional technical context highlighted that **CVE-2025-52691** can enable unauthenticated arbitrary file upload leading to **remote code execution** (noted as **CVSS 10.0** in the reporting) and that **CVE-2018-14634**, while older, remains relevant where legacy Linux kernels persist—underscoring that KEV additions can include long-standing flaws when exploitation is observed in the wild.
1 months ago
CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added four vulnerabilities to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2025-31125** (Vite/Vitejs improper access control), **CVE-2025-34026** (Versa Concerto improper authentication), **CVE-2025-54313** (*eslint-config-prettier* embedded malicious code), and **CVE-2025-68645** (Synacor **Zimbra Collaboration Suite** PHP remote file inclusion). Under **Binding Operational Directive (BOD) 22-01**, U.S. Federal Civilian Executive Branch agencies must remediate KEV-listed issues by CISA’s specified due dates; CISA also urged all organizations to prioritize patching these KEV entries as part of routine vulnerability management. Reporting on the update highlighted technical risk details for several of the newly listed items, including an authentication bypass in **Versa Concerto** (reported as affecting versions 12.1.2 through 12.2.0) tied to a Traefik reverse-proxy misconfiguration that could expose administrative endpoints (including an internal Actuator endpoint with access to heap dumps and trace logs). It also described the supply-chain impact of the **eslint-config-prettier** malicious code issue, where installing affected versions can execute an `install.js` that launches Windows malware, and noted the **Zimbra** webmail flaw enabling unauthenticated file inclusion from the web root in affected 10.0/10.1 versions. Separately, CISA also published an ICS advisory for **EVMAPA** EV-charging infrastructure vulnerabilities, but that advisory is not part of the KEV-additions event.
1 months ago