You are currently viewing Inbox at Risk: Critical Roundcube Webmail Flaws Actively Exploited

Inbox at Risk: Critical Roundcube Webmail Flaws Actively Exploited

  • Post author:
  • Reading time:2 mins read

Roundcube Webmail, a widely-used web-based email client, is facing increased scrutiny as threat actors actively exploit several vulnerabilities. The Cybersecurity and Infrastructure Security Agency (CISA) has recently flagged two Roundcube Webmail vulnerabilities, CVE-2025-49113 and CVE-2025-68461, as being actively exploited in the wild. This has prompted a strong recommendation for immediate patching, especially for U.S. federal agencies, to mitigate potential risks.

Vulnerability Details

The two primary vulnerabilities under active exploitation are:

  • CVE-2025-49113: A critical RCE vulnerability that exists due to improper validation of the _from parameter in program/actions/settings/upload.php, which enables malicious PHP object deserialization and potential arbitrary code execution.
  • CVE-2025-68461: A cross-site scripting (XSS) vulnerability that can be exploited via the animate tag in SVG documents.

Successful exploitation of CVE-2025-49113 could allow attackers to execute arbitrary code on the server, potentially leading to full system compromise. Meanwhile, CVE-2025-68461 enables attackers to inject malicious scripts into web pages viewed by users, leading to data theft or other malicious activities.

Affected Versions

The vulnerabilities affect the following Roundcube Webmail versions:

  • Roundcube Webmail 1.5.x and prior
  • Roundcube Webmail 1.6.x

It is crucial to note that Roundcube Webmail has been the default mail interface for the widely-used cPanel web hosting control panel since 2008, making a large number of installations potentially vulnerable.

Mitigation & Recommendations

The Roundcube security team strongly advises users to update their installations to the latest versions:

  • Roundcube Webmail 1.5.12
  • Roundcube Webmail 1.6.12

These versions include patches that address the identified security flaws. Given the active exploitation of these vulnerabilities, applying these updates should be considered a priority. Also, the CISA has issued a directive requiring Federal Civilian Executive Branch (FCEB) agencies to secure their systems against these vulnerabilities by March 13, highlighting the severity of the threat.

TTPs

  • TA0001 – Initial Access: Exploiting public-facing applications to gain initial access.
  • TA0002 – Execution: Running malicious code on compromised systems through T1190, Exploit Public-Facing Application.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.