On February 20, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two security vulnerabilities affecting Roundcube Webmail to its Known Exploited Vulnerabilities (KEV) catalog, citing confirmed evidence of active exploitation in the wild. The two flaws — tracked as CVE-2025-49113 and CVE-2025-68461 — affect one of the internet's most widely deployed open-source webmail platforms, and their listing comes with a firm deadline: federal civilian agencies must remediate both vulnerabilities by March 13, 2026.
For anyone who has followed Roundcube's history as a target, this news lands without surprise but with urgency. The platform has been a recurring target for sophisticated state-sponsored threat actors — including Russia's APT28 and the espionage group Winter Vivern — precisely because it sits at the intersection of high-value data (email), widely distributed deployment, and a historically slow patching culture among administrators. What is notable this time is the severity of the primary vulnerability, the speed with which attackers moved to exploit it, and the uncomfortable truth that the flaw had been embedded in the codebase for more than a decade before anyone found it.
The Two Vulnerabilities at a Glance
Before examining each flaw in depth, it is worth understanding the combined exposure they represent. One is a near-maximum severity remote code execution bug; the other is a cross-site scripting vulnerability that follows a pattern Roundcube's attackers have used repeatedly. Together, they give an attacker a potential path from initial reconnaissance through full server compromise.
program/actions/settings/upload.php allows authenticated remote code execution via an unvalidated _from URL parameter. Traced back to Roundcube 1.1.0, present in the codebase for over 10 years. Patched in Roundcube 1.5.10 and 1.6.11 (June 2025).animate tag in an SVG document allows script injection through a crafted email message. No attacker authentication or deliberate user interaction required (CVSS vector: PR:N, UI:N) — the payload executes when the victim's mail client renders the message. Patched in Roundcube 1.5.12 and 1.6.12 (December 2025). A companion vulnerability, CVE-2025-68460 (information disclosure via the HTML style sanitizer), was patched in the same release.CVE-2025-49113 — The Ghost in the Codebase
CVE-2025-49113 is classified as a deserialization of untrusted data vulnerability, a class of bug that OWASP has consistently listed among the most dangerous software weaknesses for years. The root cause is deceptively simple: the _from parameter passed via URL to the file program/actions/settings/upload.php was not being properly validated before being deserialized by PHP. An attacker who is already authenticated to a Roundcube instance can supply a crafted value for this parameter, triggering the deserialization of malicious PHP objects and achieving arbitrary code execution on the server.
The flaw was discovered and responsibly disclosed by Kirill Firsov, founder and CEO of Dubai-based cybersecurity firm FearsOff. According to Firsov's research, the vulnerability had been sitting in Roundcube's codebase for more than ten years — unnoticed through countless code reviews, security audits, and version releases. Firsov estimated that the flaw was impacting over 53 million hosts — a figure that reflects total email accounts and users across shared hosting platforms such as cPanel, Plesk, ISPConfig, and DirectAdmin that bundle Roundcube, rather than 53 million distinct servers. For context, Censys observed approximately 2.47 million exposed Roundcube Webmail instances online shortly after the June 2025 disclosure, the Shadowserver Foundation separately tracked roughly 84,000 internet-facing Roundcube installations that remained unpatched, while Shodan currently tracks over 46,000 publicly accessible instances as of early 2026.
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. — NIST National Vulnerability Database, CVE-2025-49113 advisory
What happened after disclosure illustrates exactly why CVSS scores alone do not tell the full story. According to FearsOff, attackers had already "diffed and weaponized" the vulnerability within 48 hours of public disclosure. Attackers who monitor patch releases and diff them against previous versions can rapidly identify what was changed, reverse-engineer the underlying flaw, and build a working exploit — a process the security community refers to as "patch diffing." By June 4, 2025, a working exploit for CVE-2025-49113 was actively being offered for sale. On June 3, 2025, researchers at PT SWARM (Positive Technologies' offensive security research team) publicly confirmed they had independently reproduced the exploit in Roundcube, further validating the risk and urging immediate patching.
CVE-2025-49113 scores 9.9 out of 10 on the CVSS scale, which is about as high as a vulnerability can score. The flaw is triggered by authenticated users, meaning an attacker only needs valid credentials — obtained via phishing, credential stuffing, or the XSS companion vulnerability below — to achieve full remote code execution on the server. Importantly, Firsov confirmed it can be triggered reliably on default installations with no special configuration required.
Roundcube released patches addressing this vulnerability on June 1, 2025. The fixed versions are Roundcube 1.5.10 (stable 1.5 LTS branch) and Roundcube 1.6.11 (1.6 branch). The affected version ranges are all 1.5.x releases prior to 1.5.10, and all 1.6.x releases from 1.6.0 through 1.6.10 — per the NIST National Vulnerability Database, the ranges are Roundcube < 1.5.10 and Roundcube 1.6.0–1.6.10. FearsOff's research traces the flaw back to Roundcube 1.1.0, released over ten years ago. Organizations that have not updated since prior to June 2025 should treat this as an emergency remediation event, not a routine patch cycle.
CVE-2025-68461 — The SVG XSS and Why It Matters
The second vulnerability, CVE-2025-68461, is a cross-site scripting (XSS) flaw with a CVSS score of 7.2. It is triggered via the animate tag within an SVG document embedded in an email message. Critically, this vulnerability requires no authentication and no deliberate user interaction on the attacker's part — the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C) reflects that a remote, unauthenticated attacker simply sends a crafted email. When the victim's Roundcube session renders the malicious SVG content, attacker-controlled JavaScript executes in the context of the victim's authenticated webmail session. To be precise about what UI:N means here: no extra action like clicking a link or opening an attachment is required — the exploit fires automatically when the email is rendered in the browser. The victim only needs to view the message.
Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document. — CVE-2025-68461 advisory
A CVSS of 7.2 might appear moderate compared to the 9.9 of its counterpart, but in the context of a webmail platform this vulnerability class has a long and well-documented track record of enabling serious compromise. XSS in webmail is particularly dangerous because the attack surface is the user's active, authenticated browser session. Successful exploitation can allow an attacker to steal session tokens, capture credentials as they are typed, exfiltrate entire mailboxes, pivot to other internal systems, and — critically — deliver further malware or phishing content to trusted recipients within an organization. In the right hands, a 7.2 XSS in webmail is a launchpad, not a destination.
The pattern of this vulnerability is also deeply familiar. As we will examine below, SVG-based XSS in Roundcube has been exploited repeatedly by nation-state threat actors in recent years. The animate tag variant tracked in CVE-2025-68461 follows a structural lineage of SVG injection techniques that groups like Winter Vivern have refined across multiple Roundcube campaigns. The patches for this vulnerability were released on December 13, 2025, with fixed versions at Roundcube 1.5.12 and Roundcube 1.6.12. That same release also addressed a companion flaw, CVE-2025-68460, an information disclosure vulnerability in the HTML style sanitizer that allows an attacker to bypass CSS filtering and potentially exfiltrate data from the webmail interface. CVE-2025-68460 was not added to CISA's KEV catalog but was patched in the same release and should be considered part of the same remediation event.
XSS and deserialization RCE can be chained into a one-click attack. CVE-2025-68461 requires no attacker authentication — a crafted email alone can steal a victim's session token or captured credentials. Those stolen credentials or session tokens then enable exploitation of CVE-2025-49113 for full server takeover. Security researchers have published working proof-of-concept code demonstrating this full chain. Organizations should treat both vulnerabilities as a single combined risk, not two independent lower-priority items.
Roundcube as a Persistent Target: The Threat Actor Context
To understand why CISA's KEV listing of these vulnerabilities matters beyond the immediate patch obligation, it is essential to understand the threat actor landscape that has surrounded Roundcube for years. This platform is not an incidental target. It has been the deliberate focus of some of the most sophisticated state-sponsored cyberespionage operations operating today. CISA's KEV catalog now tracks more than ten separate Roundcube Webmail vulnerabilities that have been actively exploited or abused in past campaigns, making Roundcube one of the most consistently weaponized open-source applications on the list.
APT28 (Fancy Bear / Sednit / BlueDelta)
APT28 is one of the most well-documented Russian military intelligence (GRU) hacking groups in existence, active for well over a decade and responsible for attacks against NATO governments, political organizations, defense contractors, and critical infrastructure worldwide. In June 2023, Recorded Future detailed APT28's exploitation of three separate Roundcube vulnerabilities — CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026 — in campaigns targeting the Ukrainian government and a company involved in military aviation. The attacks were used for reconnaissance and bulk data exfiltration from email accounts.
APT28's broader campaign, dubbed Operation RoundPress and detailed by ESET in May 2025, revealed that the group had systematically expanded its webmail targeting between 2023 and 2024 to include Roundcube, Horde, MDaemon, and Zimbra servers across organizations in Europe, Africa, and South America. Targets included Ukrainian government entities, defense companies in Bulgaria and Romania producing Soviet-era weapons, and government, military, and academic organizations in Greece, Cameroon, Ecuador, Serbia, and Cyprus. The consistent technique: injecting JavaScript into victims' webmail sessions via XSS exploits to steal credentials and exfiltrate email content.
Over the past two years, webmail servers such as Roundcube and Zimbra have been a major target for several espionage groups such as Sednit, GreenCube, and Winter Vivern. Because many organizations don't keep their webmail servers up to date and because the vulnerabilities can be triggered remotely by sending an email message, it is very convenient for attackers to target such servers for email theft. — ESET researcher Matthieu Faou, May 2025
Winter Vivern (TA473)
Winter Vivern is a cyberespionage group assessed by ESET with low confidence to be linked to Belarusian intelligence, though it operates in support of Russian objectives — particularly in the context of the Russia-Ukraine conflict. Active since at least 2020, the group has consistently targeted governmental entities and think tanks across Europe and Central Asia, with a particular focus on NATO-aligned organizations.
Roundcube has been a recurring instrument in Winter Vivern's toolkit. In 2022 and 2023, the group exploited CVE-2020-35730, an XSS vulnerability in Roundcube, against government email servers. Then on October 11, 2023, ESET discovered Winter Vivern actively exploiting a zero-day XSS vulnerability — CVE-2023-5631 — that required no user interaction beyond simply viewing a malicious email. The group sent crafted emails containing hidden SVG tags with base64-encoded payloads. When rendered in a victim's browser, the payload loaded a JavaScript stager from attacker infrastructure, which then exfiltrated emails to a command-and-control server. Notably, the injection technique leveraged a flaw in Roundcube's SVG sanitization logic — a structural cousin of the SVG-based attack vector seen in CVE-2025-68461.
Winter Vivern is a threat to governments in Europe because of its persistence, its very consistent running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated despite being known to contain vulnerabilities. — ESET researcher Matthieu Faou
While attribution for the active exploitation of CVE-2025-49113 and CVE-2025-68461 has not yet been publicly confirmed as of this writing, the historical pattern is unmistakable: every time a significant Roundcube vulnerability has emerged, nation-state actors with existing toolkits and established Roundcube targeting infrastructure have moved quickly to operationalize it. The 48-hour weaponization timeline for CVE-2025-49113 is consistent with the capabilities of these groups.
What the KEV Listing Actually Means
CISA's Known Exploited Vulnerabilities catalog is one of the most authoritative indicators in enterprise security of which vulnerabilities carry genuine real-world risk — not just theoretical risk on paper. A listing is not made based on CVSS score alone or on researcher proof-of-concept exploits. It requires confirmed evidence that a vulnerability is being actively exploited in the wild against real targets.
Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are legally required to address all vulnerabilities in the KEV catalog by their specified due dates. For CVE-2025-49113 and CVE-2025-68461, CISA has set the remediation deadline at March 13, 2026. That is a firm, non-negotiable deadline for federal agencies — not a recommendation.
BOD 22-01 technically applies only to FCEB agencies. However, CISA explicitly recommends that all private sector organizations review the KEV catalog and prioritize remediation of listed vulnerabilities in their own environments. The KEV catalog is not a government-only concern — it is one of the best freely available signals of where real attackers are focusing their efforts right now.
For private organizations, the KEV listing serves a different but equally important function: it is a credible, government-backed signal that threat actors have moved past exploration and are actively leveraging these vulnerabilities in operational campaigns. Security teams can use a KEV listing to cut through internal prioritization debates and justify emergency patching cycles without needing to build a business case from scratch.
Patch Versions and Remediation Steps
The patched versions for both vulnerabilities are confirmed and available. If your organization runs Roundcube in any capacity — whether as a primary mail client, a legacy system for a subset of users, or as part of a hosting control panel environment — verifying the installed version and updating immediately is the appropriate action.
For CVE-2025-49113, the fixed versions are Roundcube 1.5.10 and Roundcube 1.6.11, released June 1, 2025. The Roundcube project's official announcement is available at roundcube.net.
For CVE-2025-68461 and its companion CVE-2025-68460, the fixed versions are Roundcube 1.5.12 and Roundcube 1.6.12, released December 13, 2025.
However, as of this writing (February 24, 2026), Roundcube has released an additional security update: Roundcube 1.5.13 and Roundcube 1.6.13, published February 8, 2026. This release addresses two additional security vulnerabilities — a CSS injection flaw (CVE-2026-26079, reported by CERT Polska) and a remote image blocking bypass via SVG feImage elements (CVE-2026-25916, reported by nullcathedral) — that are separate from the KEV-listed pair. The minimum safe version across all currently disclosed vulnerabilities is therefore 1.5.13 or 1.6.13. Updating to these versions resolves all four vulnerabilities across the December and February patch cycles simultaneously.
# Check your installed Roundcube version
$ grep -r "define.*RCUBE_VERSION" /path/to/roundcube/program/include/iniset.php
# Alternatively, check the composer.json file
$ cat /path/to/roundcube/composer.json | grep '"version"'
# Minimum safe versions (as of Feb 24, 2026)
# 1.5.x branch → update to 1.5.13 or later
# 1.6.x branch → update to 1.6.13 or later
# Note: Roundcube 1.7 is currently in release candidate (RC4, pre-release) stage.
# The 1.5 and 1.6 LTS branches receive security backports.Beyond patching, organizations should conduct a review of their Roundcube deployment posture. Webmail interfaces that are unnecessarily exposed to the public internet represent an elevated risk surface. Where feasible, restricting Roundcube access to VPN or trusted IP ranges significantly reduces the opportunity for unauthenticated reconnaissance and credential-harvesting attacks that could feed into the authenticated exploitation chain described above. Log review for anomalous upload activity targeting upload.php and for unexpected outbound connections from the webmail server should be performed as part of incident response validation. Organizations using hosting control panels such as cPanel, Plesk, ISPConfig, or DirectAdmin that bundle Roundcube should confirm whether those panels deliver automatic Roundcube updates or require manual intervention — control panel environments are frequently the source of delayed patching.
Key Takeaways
- Patch immediately to Roundcube 1.5.13 or 1.6.13: These versions address CVE-2025-49113, CVE-2025-68461, CVE-2025-68460, and two additional vulnerabilities (CVE-2026-26079 and CVE-2026-25916) patched in the February 8, 2026 release. Any Roundcube installation running below these version thresholds is actively exposed to vulnerabilities confirmed by CISA as being exploited in the wild. Federal agencies face a hard deadline of March 13, 2026, but private organizations should not wait for a deadline. Note that 1.5.12 and 1.6.12 resolve the two KEV-listed flaws but still leave the February 2026 vulnerabilities open — update to 1.5.13 or 1.6.13 to be fully current.
- The 9.9 CVSS score is not a hypothetical: CVE-2025-49113 was weaponized within 48 hours of disclosure and an exploit was sold on the open market within days. The flaw existed for over ten years. Researchers at Positive Technologies independently reproduced it, and a Metasploit module for the vulnerability has since been made available, further lowering the barrier for exploitation. This is not theoretical risk.
- The XSS and RCE vulnerabilities can be chained into a one-click attack: CVE-2025-68461 requires no attacker authentication and no deliberate victim action beyond viewing an email — the payload executes automatically when Roundcube renders the malicious SVG content in the browser. That stolen session or credential then enables CVE-2025-49113 for full server code execution. Researchers have published working proof-of-concept code for this full chain. Treat them as a combined threat, not two separate lower-priority items.
- Roundcube is a proven nation-state target: APT28, Winter Vivern, and GreenCube have all actively exploited Roundcube vulnerabilities in documented campaigns against government entities, military organizations, and NATO-aligned infrastructure. Any organization handling sensitive communications via Roundcube should be operating with that context in mind.
- Reduce the attack surface beyond patching: Audit which Roundcube deployments are publicly internet-facing and consider restricting access to authenticated VPN sessions or allowlisted IP ranges where operationally feasible. Review server logs for anomalous behavior, particularly around file upload endpoints.
The broader lesson from CVE-2025-49113 in particular is a sobering one for the software security community. A flaw of near-maximum severity remained undetected in a widely deployed, open-source webmail platform for over a decade. It took a security researcher at a small Dubai-based firm to find it — and within two days of disclosure, that researcher's work had been turned into a weapon for sale. The vulnerability disclosure ecosystem worked as intended: responsible disclosure, vendor patch, public notification. What it could not control was the speed at which sophisticated attackers respond. That gap can only be closed by prompt patching. As of this writing, the latest stable releases are Roundcube 1.5.13 and 1.6.13 — released February 8, 2026 — and any installation not running these versions carries unresolved exposure across multiple patched CVEs.