Federal agencies have three weeks to secure vulnerable webmail systems.
United States
The Cybersecurity and Infrastructure Security Agency (CISA) has added two Roundcube Webmail vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. The agency confirmed that threat actors are actively exploiting both flaws.
As a result, U.S. Federal Civilian Executive Branch agencies must apply patches within three weeks under Binding Operational Directive 22-01.
The Two Actively Exploited Vulnerabilities
The first issue, CVE-2025-49113, is a critical remote code execution flaw. Researchers reported active exploitation shortly after Roundcube released a patch in June 2025.
At that time, Shadowserver warned that more than 84,000 exposed Roundcube installations were vulnerable.
The second flaw, CVE-2025-68461, allows remote unauthenticated attackers to execute low-complexity cross-site scripting (XSS) attacks. The vulnerability abuses the animate tag within SVG documents.
Roundcube addressed this flaw in versions 1.6.12 and 1.5.12 and strongly urged administrators to upgrade immediately.
Widespread Exposure Risk
Shodan currently indexes over 46,000 Roundcube instances accessible online. However, the exact number of systems still vulnerable to the two CVEs remains unknown.
Because Roundcube has served as the default webmail client for cPanel since 2008, its deployment footprint remains significant across hosting providers and enterprise environments.
Why This Matters
CISA described these vulnerabilities as frequent attack vectors that pose significant risk to the federal enterprise.
Historically, Roundcube vulnerabilities have attracted both cybercriminal groups and state-sponsored actors. For example, Russian-linked groups previously exploited CVE-2023-5631 in attacks targeting European and Ukrainian government entities.
Webmail platforms remain high-value targets because they provide direct access to sensitive communications, credentials, and internal documents.
Federal Deadline and Broader Implications
Federal agencies must remediate affected systems by March 13. Private sector organizations are not bound by the directive. However, they face similar exposure risks.
Organizations running Roundcube should:
- Verify installed version numbers
- Apply security updates immediately
- Monitor for suspicious authentication or web activity
- Restrict external exposure where possible
Strategic Perspective
Email systems continue to serve as a gateway to enterprise compromise. When attackers achieve remote code execution in webmail environments, they often pivot deeper into internal networks.
CISA’s directive signals that exploitation activity is credible and ongoing.