CISA Adds Roundcube Webmail Vulnerabilities to KEV Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog to include two significant security flaws affecting Roundcube Webmail. According to CISA, these vulnerabilities—CVE-2025-49113 and CVE-2025-68461—are currently being leveraged by malicious actors in active cyberattacks.

Roundcube is a widely adopted open-source webmail client used by government agencies, educational institutions, and private enterprises globally. Its prevalence and the sensitive nature of the data it handles make it a high-value target for threat actors, particularly those engaged in cyber-espionage and data exfiltration. The inclusion of these CVEs in the KEV catalog serves as a formal confirmation that these issues are no longer theoretical risks but are being weaponized in the wild.

Technical Analysis of the Vulnerabilities

CVE-2025-49113: Deserialization of Untrusted Data

CVE-2025-49113 is a deserialization of untrusted data vulnerability. In software development, serialization is the process of converting complex data structures into a format that can be easily stored or transmitted. Deserialization is the reverse process. When an application like Roundcube fails to properly sanitize user-supplied input before passing it to a deserialization function, an attacker can manipulate the input to instantiate arbitrary objects within the application’s memory.

This specific class of vulnerability is particularly dangerous because it often leads to Remote Code Execution (RCE). In a webmail environment, a successful RCE exploit could allow an attacker to gain complete control over the mail server, access all stored messages, and use the compromised infrastructure as a pivot point for lateral movement into the broader corporate network.

CVE-2025-68461: Cross-Site Scripting (XSS)

CVE-2025-68461 involves a Cross-Site Scripting (XSS) flaw. XSS vulnerabilities occur when an application includes untrusted data in a web page without proper validation or escaping. In the context of a webmail service, this typically involves an attacker sending a specially crafted email containing malicious JavaScript.

When a victim opens the malicious email, the script executes within the victim’s browser session. This can be used to hijack session cookies, steal login credentials, or perform actions on behalf of the user—such as forwarding emails to an external address or modifying account settings. While XSS is sometimes perceived as a lower-tier threat compared to RCE, its impact in a webmail application is severe, as it provides a direct mechanism for account takeover and unauthorized access to sensitive communications.

Strategic Implications for Defenders

The addition of these vulnerabilities to the KEV catalog carries mandatory remediation requirements for Federal Civilian Executive Branch (FCEB) agencies under Binding Operational Directive (BOD) 22-01. This directive requires agencies to patch the vulnerabilities by a specified due date to mitigate the significant risk they pose to federal networks.

For the private sector, the KEV catalog serves as a prioritized roadmap for vulnerability management. Given that Roundcube has historically been targeted by Advanced Persistent Threat (APT) groups seeking intelligence on diplomatic and government targets, organizations using this platform should treat these updates with the highest priority. The active exploitation phase suggests that automated scanning or targeted campaigns are already underway.

Mitigation and Recommendations

To defend against these threats, security teams should prioritize the following actions:

• Immediate Patching: Update all Roundcube Webmail instances to the latest stable versions that address these specific CVEs.
• Audit and Discovery: Conduct a thorough inventory of the environment to identify any unauthorized or legacy Roundcube installations that may have been deployed by individual departments.
• Monitoring and Logging: Enhance monitoring for unusual web server behavior, such as abnormal POST requests or signs of unauthorized access to sensitive mail directories.
• Defense-in-Depth: Ensure that Multi-Factor Authentication (MFA) is strictly enforced for all webmail users to mitigate the risk of credential theft resulting from XSS attacks.