CISA flagged two Roundcube Webmail vulnerabilities as actively exploited—CVE-2025-49113 and CVE-2025-68461—and ordered U.S. federal agencies to patch them within three weeks. Shadowserver and Shodan data show tens of thousands of internet-exposed Roundcube instances, and past exploitation has involved groups such as Winter Vivern (TA473) and APT28. #CVE-2025-49113 #CVE-2025-68461
Keypoints
- CISA added CVE-2025-49113 and CVE-2025-68461 to its KEV catalog and mandated patches for federal agencies by March 13 under BOD 22-01.
- CVE-2025-49113 is a critical remote code execution flaw that was observed exploited days after its June 2025 patch, with Shadowserver reporting over 84,000 vulnerable installations.
- CVE-2025-68461 is a low-complexity, unauthenticated XSS via the SVG animate tag patched in December 2025 in Roundcube versions 1.6.12 and 1.5.12.
- Shodan currently lists over 46,000 internet-accessible Roundcube instances, though the exact number vulnerable to these CVEs is unknown.
- Roundcube has been targeted by cybercrime and state-sponsored actors, including Winter Vivern (TA473) and APT28, and CISA tracks ten other Roundcube vulnerabilities.