CISA Adds Actively Exploited Roundcube Webmail Vulnerabilities to KEV Catalog
CISA added two Roundcube Webmail vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation: CVE-2025-49113 (CVSS 9.9), a deserialization issue enabling authenticated remote code execution due to improper validation of the _from URL parameter in program/actions/settings/upload.php, and CVE-2025-68461 (CVSS 7.2), an XSS flaw involving the animate tag in an SVG document. CISA directed U.S. Federal Civilian Executive Branch (FCEB) agencies to remediate by 2026-03-13, and advised applying vendor mitigations per guidance (or discontinuing use if mitigations are unavailable).
The KEV repository updates for 2026-02-20 reflect both Roundcube entries, including mappings to CWE-502 (deserialization) and CWE-79 (XSS) and links to Roundcube advisories/releases. Reporting also noted that researchers observed rapid attacker uptake of CVE-2025-49113 after disclosure, including claims that attackers quickly “diffed and weaponized” the bug and that exploit access was offered for sale shortly after. Separate reporting about BeyondTrust Remote Support/Privileged Remote Access (CVE-2026-1731) describes a different KEV addition and is not part of the Roundcube event.
Related Entities
Vulnerabilities
Threat Actors
Affected Products
Sources
5 more from sources like nuclei templates pull requests, security affairs, the hacker news and cisa kev data commits
Related Stories
CISA Flags Actively Exploited Vulnerabilities as KEV Adds Expand to BeyondTrust and Roundcube
CISA updated its *Known Exploited Vulnerabilities (KEV) Catalog* to reflect **active exploitation** of a previously patched **BeyondTrust** remote code execution flaw, **CVE-2026-1731** (CVSS 9.9), which has now been tied to **ransomware activity**. Reporting also cited third-party telemetry indicating an increase in exploitation attempts, and emphasized that because BeyondTrust commonly sits in **identity/privileged access** paths, successful RCE can rapidly translate into broad enterprise compromise; recommended mitigations included immediate patching and, if patching is not immediately possible, taking the affected portal offline or tightly restricting access. Separately, CISA also announced the addition of two **Roundcube Webmail** vulnerabilities to the KEV Catalog based on evidence of active exploitation: **CVE-2025-49113** (deserialization of untrusted data) and **CVE-2025-68461** (cross-site scripting). CISA reiterated that under **BOD 22-01**, U.S. Federal Civilian Executive Branch agencies must remediate KEV-listed issues by mandated deadlines, and urged all organizations to prioritize remediation of KEV entries as a high-signal indicator of real-world exploitation risk.
3 weeks ago
CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, reinforcing that these issues are being used as real-world attack vectors and should be prioritized for remediation. The newly listed CVEs are **CVE-2018-14634** (Linux kernel integer overflow / local privilege escalation), **CVE-2025-52691** (SmarterTools *SmarterMail* unrestricted file upload enabling RCE), **CVE-2026-21509** (Microsoft Office security feature bypass), **CVE-2026-23760** (SmarterTools *SmarterMail* authentication bypass via alternate path/channel), and **CVE-2026-24061** (GNU *InetUtils* argument injection). CISA reiterated that these vulnerability classes are frequently leveraged by threat actors and pose material risk to enterprise environments. Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed vulnerabilities by CISA-specified due dates, and CISA urged all organizations to treat KEV entries as high-priority items in vulnerability management. Additional technical context highlighted that **CVE-2025-52691** can enable unauthenticated arbitrary file upload leading to **remote code execution** (noted as **CVSS 10.0** in the reporting) and that **CVE-2018-14634**, while older, remains relevant where legacy Linux kernels persist—underscoring that KEV additions can include long-standing flaws when exploitation is observed in the wild.
1 months ago
CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added four vulnerabilities to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2025-31125** (Vite/Vitejs improper access control), **CVE-2025-34026** (Versa Concerto improper authentication), **CVE-2025-54313** (*eslint-config-prettier* embedded malicious code), and **CVE-2025-68645** (Synacor **Zimbra Collaboration Suite** PHP remote file inclusion). Under **Binding Operational Directive (BOD) 22-01**, U.S. Federal Civilian Executive Branch agencies must remediate KEV-listed issues by CISA’s specified due dates; CISA also urged all organizations to prioritize patching these KEV entries as part of routine vulnerability management. Reporting on the update highlighted technical risk details for several of the newly listed items, including an authentication bypass in **Versa Concerto** (reported as affecting versions 12.1.2 through 12.2.0) tied to a Traefik reverse-proxy misconfiguration that could expose administrative endpoints (including an internal Actuator endpoint with access to heap dumps and trace logs). It also described the supply-chain impact of the **eslint-config-prettier** malicious code issue, where installing affected versions can execute an `install.js` that launches Windows malware, and noted the **Zimbra** webmail flaw enabling unauthenticated file inclusion from the web root in affected 10.0/10.1 versions. Separately, CISA also published an ICS advisory for **EVMAPA** EV-charging infrastructure vulnerabilities, but that advisory is not part of the KEV-additions event.
1 months ago