CISA Adds Actively Exploited Roundcube Webmail Vulnerabilities to KEV Catalog
CISA added two Roundcube Webmail vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation: CVE-2025-49113 (CVSS 9.9), a deserialization issue enabling authenticated remote code execution due to improper validation of the _from URL parameter in program/actions/settings/upload.php, and CVE-2025-68461 (CVSS 7.2), an XSS flaw involving the animate tag in an SVG document. CISA directed U.S. Federal Civilian Executive Branch (FCEB) agencies to remediate by 2026-03-13, and advised applying vendor mitigations per guidance (or discontinuing use if mitigations are unavailable).
The KEV repository updates for 2026-02-20 reflect both Roundcube entries, including mappings to CWE-502 (deserialization) and CWE-79 (XSS) and links to Roundcube advisories/releases. Reporting also noted that researchers observed rapid attacker uptake of CVE-2025-49113 after disclosure, including claims that attackers quickly “diffed and weaponized” the bug and that exploit access was offered for sale shortly after. Separate reporting about BeyondTrust Remote Support/Privileged Remote Access (CVE-2026-1731) describes a different KEV addition and is not part of the Roundcube event.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Nuclei template released for detecting CVE-2025-68461 exposure
A ProjectDiscovery pull request added a Nuclei template to identify Roundcube instances vulnerable to CVE-2025-68461 by checking the exposed rcversion value. The template targeted versions earlier than 1.5.12 and 1.6.12.
CISA KEV update expands with additional exploited products
On the same February 20, 2026 KEV update cycle, CISA's catalog also included exploited vulnerabilities affecting GitLab, Dell RecoverPoint for Virtual Machines, and Synacor Zimbra Collaboration Suite. The catalog version increased from 2026.02.19 to 2026.02.20 and the total count rose from 1524 to 1526.
CISA adds two Roundcube flaws to the KEV catalog
CISA updated its Known Exploited Vulnerabilities catalog to add Roundcube Webmail flaws CVE-2025-49113 and CVE-2025-68461 based on evidence of active exploitation. The update was published on February 20, 2026, and set a federal remediation deadline in mid-March 2026.
Roundcube patches CVE-2025-68461 XSS flaw
Roundcube fixed CVE-2025-68461, an SVG animate tag cross-site scripting vulnerability, in versions 1.6.12 and 1.5.12. Reporting indicates the patch was released in December 2025.
Attackers weaponize CVE-2025-49113 after disclosure
Researchers at FearsOff said attackers weaponized the Roundcube CVE-2025-49113 flaw within 48 hours of its public disclosure. This showed the vulnerability quickly moved from disclosure to active offensive use.
Exploit for CVE-2025-49113 offered for sale
An exploit targeting Roundcube CVE-2025-49113 was reportedly offered for sale shortly after disclosure. One report places this sale on June 4, 2025, indicating rapid weaponization interest.
Roundcube patches CVE-2025-49113 remote code execution flaw
Roundcube released fixes for CVE-2025-49113, a deserialization vulnerability that can lead to authenticated remote code execution, in versions 1.6.11 and 1.5.10 LTS. Multiple reports state the flaw was patched on June 1, 2025.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
10 references tracked. Mallory keeps watching after this page renders.
CVE-2025-49113 & CVE-2025-68461: Roundcube Webmail Vulnerabilities Actively Exploited
op-c.net
Open sourceCISA Warns of Multiple Roundcube Vulnerabilities Exploited in Attacks
cybersecuritynews.com
Open sourceRecent RoundCube Webmail Vulnerability Exploited in Attacks - SecurityWeek
securityweek.com
Open sourceCISA Warns of Actively Exploited Roundcube Vulnerabilities
gbhackers.com
Open sourceU.S. CISA adds RoundCube Webmail flaws to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceCISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog
thehackernews.com
Open sourceAdd Updated KEV Files for 2026-02-20 · cisagov/kev-data@7c82a9c · GitHub
github.com
Open sourceAdd Updated KEV Files for 2026-02-20 · cisagov/kev-data@45d625a · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Flags Actively Exploited Vulnerabilities as KEV Adds Expand to BeyondTrust and Roundcube
CISA updated its *Known Exploited Vulnerabilities (KEV) Catalog* to reflect **active exploitation** of a previously patched **BeyondTrust** remote code execution flaw, **CVE-2026-1731** (CVSS 9.9), which has now been tied to **ransomware activity**. Reporting also cited third-party telemetry indicating an increase in exploitation attempts, and emphasized that because BeyondTrust commonly sits in **identity/privileged access** paths, successful RCE can rapidly translate into broad enterprise compromise; recommended mitigations included immediate patching and, if patching is not immediately possible, taking the affected portal offline or tightly restricting access. Separately, CISA also announced the addition of two **Roundcube Webmail** vulnerabilities to the KEV Catalog based on evidence of active exploitation: **CVE-2025-49113** (deserialization of untrusted data) and **CVE-2025-68461** (cross-site scripting). CISA reiterated that under **BOD 22-01**, U.S. Federal Civilian Executive Branch agencies must remediate KEV-listed issues by mandated deadlines, and urged all organizations to prioritize remediation of KEV entries as a high-signal indicator of real-world exploitation risk.
Mar 21, 2026
CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, reinforcing that these issues are being used as real-world attack vectors and should be prioritized for remediation. The newly listed CVEs are **CVE-2018-14634** (Linux kernel integer overflow / local privilege escalation), **CVE-2025-52691** (SmarterTools *SmarterMail* unrestricted file upload enabling RCE), **CVE-2026-21509** (Microsoft Office security feature bypass), **CVE-2026-23760** (SmarterTools *SmarterMail* authentication bypass via alternate path/channel), and **CVE-2026-24061** (GNU *InetUtils* argument injection). CISA reiterated that these vulnerability classes are frequently leveraged by threat actors and pose material risk to enterprise environments. Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed vulnerabilities by CISA-specified due dates, and CISA urged all organizations to treat KEV entries as high-priority items in vulnerability management. Additional technical context highlighted that **CVE-2025-52691** can enable unauthenticated arbitrary file upload leading to **remote code execution** (noted as **CVSS 10.0** in the reporting) and that **CVE-2018-14634**, while older, remains relevant where legacy Linux kernels persist—underscoring that KEV additions can include long-standing flaws when exploitation is observed in the wild.
Mar 21, 2026
CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added four vulnerabilities to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2025-31125** (Vite/Vitejs improper access control), **CVE-2025-34026** (Versa Concerto improper authentication), **CVE-2025-54313** (*eslint-config-prettier* embedded malicious code), and **CVE-2025-68645** (Synacor **Zimbra Collaboration Suite** PHP remote file inclusion). Under **Binding Operational Directive (BOD) 22-01**, U.S. Federal Civilian Executive Branch agencies must remediate KEV-listed issues by CISA’s specified due dates; CISA also urged all organizations to prioritize patching these KEV entries as part of routine vulnerability management. Reporting on the update highlighted technical risk details for several of the newly listed items, including an authentication bypass in **Versa Concerto** (reported as affecting versions 12.1.2 through 12.2.0) tied to a Traefik reverse-proxy misconfiguration that could expose administrative endpoints (including an internal Actuator endpoint with access to heap dumps and trace logs). It also described the supply-chain impact of the **eslint-config-prettier** malicious code issue, where installing affected versions can execute an `install.js` that launches Windows malware, and noted the **Zimbra** webmail flaw enabling unauthenticated file inclusion from the web root in affected 10.0/10.1 versions. Separately, CISA also published an ICS advisory for **EVMAPA** EV-charging infrastructure vulnerabilities, but that advisory is not part of the KEV-additions event.
Mar 21, 2026