The U.S. cybersecurity and Infrastructure Security Agency (CISA) added two security vulnerabilities affecting Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog on Friday. The agency cited evidence of active exploitation in the wild as the reason for the action.

This move requires all federal civilian executive branch agencies to apply the necessary patches by a specified deadline. The directive underscores the severity of the threats posed by these flaws.

Details of the Vulnerabilities

The first vulnerability, tracked as CVE-2025-49113, carries a critical CVSS score of 9.9. It is a deserialization of untrusted data flaw that can allow a remote attacker to execute arbitrary code on a vulnerable Roundcube instance. This type of vulnerability is often severe, as it can lead to complete system compromise.

The second flaw, identified as CVE-2025-49114, has a CVSS score of 6.1, rating it as medium severity. It is a cross-site scripting (XSS) vulnerability. While typically less severe than remote code execution, XSS flaws can be used to steal user session cookies, deface websites, or redirect users to malicious sites.

Significance of the KEV Catalog

CISA’s Known Exploited Vulnerabilities catalog is a list of security flaws that have reliable evidence of being actively exploited by threat actors. Inclusion in the catalog is a significant indicator of real-world danger. It triggers a binding operational directive for federal agencies, mandating remediation within strict timelines.

For private sector organizations and the broader public, the KEV listing serves as a critical, authoritative alert. It signals that these vulnerabilities are not merely theoretical but are being used in actual cyber attacks, necessitating immediate attention from all Roundcube users.

Background on Roundcube Software

Roundcube is a widely used, open-source webmail application written in PHP. It is popular among businesses, educational institutions, and internet service providers for providing a browser-based email client interface. Its broad deployment makes it an attractive target for malicious hackers seeking access to email communications and sensitive data.

The discovery and active exploitation of these vulnerabilities highlight the ongoing security challenges faced by widely deployed open-source software. Maintainers must constantly audit code and release patches, while users must apply updates promptly.

Recommended Actions for Users

The primary mitigation for these security issues is to update Roundcube to the latest patched version immediately. System administrators should consult the official Roundcube security advisories for specific version information and upgrade instructions.

Organizations that cannot patch immediately are advised to consider implementing additional network security controls. These may include web application firewalls configured to filter malicious requests targeting these specific vulnerabilities.

CISA’s announcement did not attribute the exploitation activity to any specific threat actor or group. The nature of the attacks and the potential impact on compromised systems remain under investigation by cybersecurity researchers.

Looking Ahead

Federal agencies are required to patch these vulnerabilities by the deadline set in the binding directive, typically within a few weeks. Cybersecurity researchers expect increased scanning and exploit attempts targeting unpatched Roundcube servers globally in the coming days. The Roundcube development team is likely to continue monitoring the situation and may release further guidance as more information about the exploitation campaigns becomes available.

Source: Original agency announcement and cybersecurity advisories.