Exploitation of Vulnerabilities in Roundcube Webmail Raises Alarm
Recent findings by the Cybersecurity and Infrastructure Security Agency (CISA) reveal that two vulnerabilities within Roundcube Webmail are currently being exploited by malicious actors, prompting urgent mitigation measures.
The vulnerabilities, identified as CVE-2025-49113 and CVE-2025-68461, expose Roundcube installations to serious security risks. CVE-2025-49113 is a critical remote code execution (RCE) vulnerability caused by poor validation of the _from parameter in settings/upload.php, allowing for arbitrary code execution. CVE-2025-68461 is a cross-site scripting (XSS) vulnerability that enables attackers to inject harmful scripts into web pages via the SVG animate tag. Successful exploitation of these vulnerabilities risks complete system compromise, affecting user data and overall application integrity.
These vulnerabilities impact Roundcube Webmail versions 1.5.x and earlier, as well as 1.6.x. Given that Roundcube is the default mail interface for the widely-used cPanel control panel, many installations could be at significant risk. To address these vulnerabilities, the Roundcube security team has released updated versions (1.5.12 and 1.6.12) that contain necessary patches. CISA’s directive highlights the urgency, mandating that federal agencies secure their systems against these vulnerabilities by March 13.
Why this matters: The exploitation of these vulnerabilities can lead to widespread data theft and operational disruptions, posing serious risks for organizations, particularly those handling sensitive information. Immediate action is vital for all users of Roundcube Webmail to minimize potential harm.
To reduce risk, organizations should implement effective patch management solutions and monitoring tools to ensure timely updates and vulnerability detection.
While no specific Indicators of Compromise (IOCs) were mentioned, awareness of the CVE IDs and affected versions is critical for security teams monitoring for possible exploits.
Click here for the full article
