INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

CISA Exploits Roundcube Flaws in Recent Patches

| 2026-02-23 11:44 CRITICAL HIGH
JSON
Executive Summary AI-generated
The recent patching of vulnerabilities in Roundcube Webmail has exposed a critical remote code execution flaw, with two new exploits tagged as actively abused by threat actors. The flaws were first flagged by CISA (Cybersecurity and Infrastructure Security Agency) in June 2025 for the CVE-2025-49113 vulnerability, which was patched just over a month later. Since then, there have been reports of attacks targeting vulnerable installations, with estimates suggesting that over 84,000 Roundcube webmail instances are affected. The vulnerabilities were identified as animate tag XSS exploits and can be used by remote attackers to execute arbitrary code on the targeted systems. As a result, CISA has ordered federal agencies to secure their productive installations of Roundcube 1.6.x and 1.5.x with new versions that address these security flaws.
Technical Mitigations AI-generated
* Implement secure coding practices and input validation to prevent deserialization of untrusted data vulnerabilities, such as CVE-2025-49113. * Regularly update and patch software, including Roundcube Webmail, to ensure timely fixes for known security flaws like CVE-2025-68461. * Use secure protocols (e.g., HTTPS) when transmitting sensitive information, such as emails or login credentials, to prevent cross-site scripting attacks via the animate tag in SVG documents. * Monitor system logs and network traffic for suspicious activity related to Roundcube installations, and take prompt action if any potential security threats are detected.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
APT28APT28Winter VivernWinter Vivern CVE-2025-68461CVE-2025-68461 CVE-2023-5631CVE-2023-5631 CVE-2025-49113CVE-2025-49113
Target & Sectors
UA
governmentgovernment
Incident Timeline
November 2021
Threat actors used a stored cross-site scripting vulnerability in Roundcube to exploit the Winter Vivern Russian hacking group's TA473 zero-day attack.
attribution Federal Civilian Executive Branch
The U.S. cybersecurity agency has ordered Federal Civilian Executive Branch (FCEB) agencies to secure their systems against these security bugs within three weeks, by March 13, as mandated by a binding operational directive ( BOD 22-01 ) issued in November 2021.
attribution FCEB
The U.S. cybersecurity agency has ordered Federal Civilian Executive Branch (FCEB) agencies to secure their systems against these security bugs within three weeks, by March 13, as mandated by a binding operational directive ( BOD 22-01 ) issued in November 2021.
infrastructure Roundcube
Roundcube vulnerabilities have been a popular target for cybercrime and state-sponsored threat groups, the most recent being a stored cross-site scripting (XSS) vulnerability (CVE-2023-5631) exploited by the Winter Vivern (TA473) Russian hacking group in zero-day attacks targeting European government entities and by the Russian APT28 cyber-espionage group to breach Ukrainian government email systems.
threat_actor APT28
Roundcube vulnerabilities have been a popular target for cybercrime and state-sponsored threat groups, the most recent being a stored cross-site scripting (XSS) vulnerability (CVE-2023-5631) exploited by the Winter Vivern (TA473) Russian hacking group in zero-day attacks targeting European government entities and by the Russian APT28 cyber-espionage group to breach Ukrainian government email systems.
threat_actor Winter Vivern
Roundcube vulnerabilities have been a popular target for cybercrime and state-sponsored threat groups, the most recent being a stored cross-site scripting (XSS) vulnerability (CVE-2023-5631) exploited by the Winter Vivern (TA473) Russian hacking group in zero-day attacks targeting European government entities and by the Russian APT28 cyber-espionage group to breach Ukrainian government email systems.
organisation Modern
Modern IT infrastructure moves faster than manual workflows can handle.
organisation Tines
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
June 4, 2025
Threat actors made an exploit for the vulnerability available on June 4, 2025.
June 2025
Threat actors exploited a recently patched deserialization of untrusted data vulnerability in Roundcube webmail installations to target vulnerable users.
organisation CVE-2025-68461
A deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php. (Fixed in June 2025 ) CVE-2025-68461 (CVSS score: 7.2) -
tactic Remote Code Execution
A deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php. (Fixed in June 2025 ) CVE-2025-68461 (CVSS score: 7.2) -
The first vulnerability tagged as actively abused by threat actors is a critical remote code execution flaw tracked as CVE-2025-49113 , which was first flagged as exploited days after it was patched in June 2025, when Internet security watchdog Shadowserver warned that over 84,000 vulnerable Roundcube webmail installations were vulnerable to attacks.
infrastructure 7.2
A deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php. (Fixed in June 2025 ) CVE-2025-68461 (CVSS score: 7.2) -
observable upload.php
A deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php. (Fixed in June 2025 ) CVE-2025-68461 (CVSS score: 7.2) -
general_metric 7.2 deserialization
A deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php. (Fixed in June 2025 ) CVE-2025-68461 (CVSS score: 7.2) -
infrastructure Roundcube
The first vulnerability tagged as actively abused by threat actors is a critical remote code execution flaw tracked as CVE-2025-49113 , which was first flagged as exploited days after it was patched in June 2025, when Internet security watchdog Shadowserver warned that over 84,000 vulnerable Roundcube webmail installations were vulnerable to attacks.
vulnerability CVE-2025-49113
The first vulnerability tagged as actively abused by threat actors is a critical remote code execution flaw tracked as CVE-2025-49113 , which was first flagged as exploited days after it was patched in June 2025, when Internet security watchdog Shadowserver warned that over 84,000 vulnerable Roundcube webmail installations were vulnerable to attacks.
infrastructure 84,000 vulnerable Roundcube webmail installations
The first vulnerability tagged as actively abused by threat actors is a critical remote code execution flaw tracked as CVE-2025-49113 , which was first flagged as exploited days after it was patched in June 2025, when Internet security watchdog Shadowserver warned that over 84,000 vulnerable Roundcube webmail installations were vulnerable to attacks.
December 2025
Threat actors used the animate tag in SVG documents to exploit vulnerabilities in Roundcube instances.
vulnerability CVE-2025-49113
(Fixed in December 2025 ) Dubai-based cybersecurity company FearsOff, whose founder and CEO, Kirill Firsov, was credited with discovering and reporting CVE-2025-49113, said attackers have already " diffed and weaponized the vulnerability " within 48 hours of public disclosure of the flaw.
However, there is no information on how many of them are vulnerable to CVE-2025-49113 or CVE-2025-68461 attacks.
organisation FearsOff
(Fixed in December 2025 ) Dubai-based cybersecurity company FearsOff, whose founder and CEO, Kirill Firsov, was credited with discovering and reporting CVE-2025-49113, said attackers have already " diffed and weaponized the vulnerability " within 48 hours of public disclosure of the flaw.
organisation CVE-2025
(Fixed in December 2025 ) Dubai-based cybersecurity company FearsOff, whose founder and CEO, Kirill Firsov, was credited with discovering and reporting CVE-2025-49113, said attackers have already " diffed and weaponized the vulnerability " within 48 hours of public disclosure of the flaw.
However, there is no information on how many of them are vulnerable to CVE-2025-49113 or CVE-2025-68461 attacks.
general_metric 48 hours
(Fixed in December 2025 ) Dubai-based cybersecurity company FearsOff, whose founder and CEO, Kirill Firsov, was credited with discovering and reporting CVE-2025-49113, said attackers have already " diffed and weaponized the vulnerability " within 48 hours of public disclosure of the flaw.
infrastructure Roundcube
Roundcube patched the second one ( CVE-2025-68461 ) two months ago, in December 2025, warning that remote, unauthenticated attackers can exploit it through low-complexity cross-site scripting (XSS) attacks that abuse the animate tag in SVG documents.
"We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions," the Roundcube security team warned when it released versions 1.6.12 and 1.5.12 that address this security flaw.
Shodan currently tracks over 46,000 Roundcube instances  accessible on the internet.
Roundcube instances online (Shodan) While it didn't provide any details on attacks exploiting these two security flaws, CISA added them to its Known Exploited Vulnerabilities (KEV) Catalog on Friday, warning that they are "frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
" CISA also tracks ten other Roundcube Webmail vulnerabilities that are either actively exploited in attacks or have been abused in the past.
vulnerability CVE-2025-68461
Roundcube patched the second one ( CVE-2025-68461 ) two months ago, in December 2025, warning that remote, unauthenticated attackers can exploit it through low-complexity cross-site scripting (XSS) attacks that abuse the animate tag in SVG documents.
organisation SVG
Roundcube patched the second one ( CVE-2025-68461 ) two months ago, in December 2025, warning that remote, unauthenticated attackers can exploit it through low-complexity cross-site scripting (XSS) attacks that abuse the animate tag in SVG documents.
infrastructure 1.6
"We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions," the Roundcube security team warned when it released versions 1.6.12 and 1.5.12 that address this security flaw.
infrastructure 1.5
"We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions," the Roundcube security team warned when it released versions 1.6.12 and 1.5.12 that address this security flaw.
infrastructure 1.6.12
"We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions," the Roundcube security team warned when it released versions 1.6.12 and 1.5.12 that address this security flaw.
infrastructure 1.5.12
"We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions," the Roundcube security team warned when it released versions 1.6.12 and 1.5.12 that address this security flaw.
Feb 21, 2026
Threat actors used a recently patched vulnerability in RoundCube to target affected systems.
2026-02-23
Threat actors have exploited the recently patched Roundcube flaws in attacks.
infrastructure Roundcube
CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog.
Vulnerability / Patch Management The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added two security flaws impacting Roundcube webmail software to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation.
There are no details on who is behind the exploitation of the two Roundcube flaws.
Recently patched RoundCube flaws now exploited in attacks.
CISA flagged two Roundcube Webmail vulnerabilities as actively exploited in attacks and ordered U.S. federal agencies to patch them within three weeks.
Roundcube Webmail is a web-based email client that has been the default mail interface for the widely used cPanel web hosting control panel since 2008.
organisation cPanel
Roundcube Webmail is a web-based email client that has been the default mail interface for the widely used cPanel web hosting control panel since 2008.
organisation CVE-2025-49113
The vulnerabilities in question are listed below - CVE-2025-49113 (CVSS score: 9.9) -
organisation SVG
A cross-site scripting vulnerability via the animate tag in an SVG document.
organisation Firsov
Firsov also noted that the shortcoming can be triggered reliably on default installations, and that it had been hidden in the codebase for over 10 years.
threat_actor APT28
But multiple vulnerabilities in the email software have been weaponized by nation-state threat actors like APT28 and Winter Vivern.
threat_actor Winter Vivern
But multiple vulnerabilities in the email software have been weaponized by nation-state threat actors like APT28 and Winter Vivern.
March 13, 2026
Threat actors exploited recently patched vulnerabilities in RoundCube servers to launch targeted attacks.
attribution Federal Civilian Executive Branch
Federal Civilian Executive Branch (FCEB) agencies are to remediate identified vulnerabilities by March 13, 2026, to secure their networks against the active threat.
attribution FCEB
Federal Civilian Executive Branch (FCEB) agencies are to remediate identified vulnerabilities by March 13, 2026, to secure their networks against the active threat.
March 13
Threat actors exploited recently patched RoundCube flaws in Federal Civilian Executive Branch agencies' systems.
attribution Federal Civilian Executive Branch
The U.S. cybersecurity agency has ordered Federal Civilian Executive Branch (FCEB) agencies to secure their systems against these security bugs within three weeks, by March 13, as mandated by a binding operational directive ( BOD 22-01 ) issued in November 2021.
attribution FCEB
The U.S. cybersecurity agency has ordered Federal Civilian Executive Branch (FCEB) agencies to secure their systems against these security bugs within three weeks, by March 13, as mandated by a binding operational directive ( BOD 22-01 ) issued in November 2021.
Tactical Metrics
Metrics
infrastructure
​Roundcube
Affected Product
CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog.
Vulnerability / Patch Management The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added two security flaws impacting Roundcube webmail software to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation.
There are no details on who is behind the exploitation of the two Roundcube flaws.
Roundcube vulnerabilities have been a popular target for cybercrime and state-sponsored threat groups, the most recent being a stored cross-site scripting (XSS) vulnerability (CVE-2023-5631) exploited by the Winter Vivern (TA473) Russian hacking group in zero-day attacks targeting European government entities and by the Russian APT28 cyber-espionage group to breach Ukrainian government email systems.
Recently patched RoundCube flaws now exploited in attacks.
CISA flagged two Roundcube Webmail vulnerabilities as actively exploited in attacks and ordered U.S. federal agencies to patch them within three weeks.
Roundcube Webmail is a web-based email client that has been the default mail interface for the widely used cPanel web hosting control panel since 2008.
The first vulnerability tagged as actively abused by threat actors is a critical remote code execution flaw tracked as CVE-2025-49113 , which was first flagged as exploited days after it was patched in June 2025, when Internet security watchdog Shadowserver warned that over 84,000 vulnerable Roundcube webmail installations were vulnerable to attacks.
Roundcube patched the second one ( CVE-2025-68461 ) two months ago, in December 2025, warning that remote, unauthenticated attackers can exploit it through low-complexity cross-site scripting (XSS) attacks that abuse the animate tag in SVG documents.
"We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions," the Roundcube security team warned when it released versions 1.6.12 and 1.5.12 that address this security flaw.
Shodan currently tracks over 46,000 Roundcube instances  accessible on the internet.
Roundcube instances online (Shodan) While it didn't provide any details on attacks exploiting these two security flaws, CISA added them to its Known Exploited Vulnerabilities (KEV) Catalog on Friday, warning that they are "frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
" CISA also tracks ten other Roundcube Webmail vulnerabilities that are either actively exploited in attacks or have been abused in the past.
Metrics
infrastructure
​7.2
Software Version
A deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php. (Fixed in June 2025 ) CVE-2025-68461 (CVSS score: 7.2) -
Metrics
infrastructure
84,000
Vulnerable Roundcube Webmail Installations
The first vulnerability tagged as actively abused by threat actors is a critical remote code execution flaw tracked as CVE-2025-49113 , which was first flagged as exploited days after it was patched in June 2025, when Internet security watchdog Shadowserver warned that over 84,000 vulnerable Roundcube webmail installations were vulnerable to attacks.
Metrics
infrastructure
​1.6
Software Version
"We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions," the Roundcube security team warned when it released versions 1.6.12 and 1.5.12 that address this security flaw.
Metrics
infrastructure
​1.5
Software Version
"We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions," the Roundcube security team warned when it released versions 1.6.12 and 1.5.12 that address this security flaw.
Metrics
infrastructure
​1.6.12
Software Version
"We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions," the Roundcube security team warned when it released versions 1.6.12 and 1.5.12 that address this security flaw.
Metrics
infrastructure
​1.5.12
Software Version
"We strongly recommend to update all productive installations of Roundcube 1.6.x and 1.5.x with this new versions," the Roundcube security team warned when it released versions 1.6.12 and 1.5.12 that address this security flaw.
Intelligence Sources
The Hacker News 2026-02-21
BleepingComputer 2026-02-23