CISA: Recently patched RoundCube flaws now exploited in attacks
Bleeping Computer
by Sergiu GatlanFebruary 23, 2026
AI-Generated Deep Dive Summary
CISA has identified two critical vulnerabilities in the Roundcube Webmail client that are currently being exploited in attacks. The agency has directed U.S. federal agencies to patch these vulnerabilities within three weeks, by March 13, as part of its efforts to mitigate risks to federal systems. The first vulnerability (CVE-2025-49111) is a critical remote code execution flaw that was exploited shortly after being patched in June 2025, with Shadowserver reporting over 84,000 vulnerable installations exposed to attacks. The second issue (CVE-2025-68461) is a low-complexity cross-site scripting (XSS) vulnerability that can be exploited through the animate tag in SVG documents. Both flaws were added to CISA's Known Exploited Vulnerabilities Catalog, highlighting their potential risks.
Roundcube Webmail has been the default email interface for cPanel since 2008 and remains widely used across the internet. While Shodan tracks over 46,000 accessible instances, the exact number of vulnerable systems exposed to these specific flaws is unclear. CISA's alert follows a history of Roundcube vulnerabilities being targeted by cybercriminals and state-sponsored groups. Recent examples include a stored XSS flaw (CVE-2023-5631) exploited by the Winter Vivern (TA473) group in attacks against European governments and APT28's use of similar tactics to breach Ukrainian email systems.
The vulnerabilities underscore the critical need for timely patches, especially given the popularity of Roundcube among federal agencies. CISA has previously tracked over 20 Roundcube flaws that have been exploited or pose significant risks. The agency's directive reflects its ongoing focus on addressing known threats to protect federal infrastructure from potential breaches. This latest action highlights the urgent importance of maintaining robust cybersecurity practices, particularly for widely used but potentially vulnerable tools like webmail clients.
For readers focused on security, this news emphasizes the dynamic nature of cyber threats and the need for organizations to stay ahead of exploits. The exploitation of these Roundcube vulnerabilities demonstrates how quickly flaws can be weaponized and the significant risks they pose to government systems. By requiring federal agencies to patch within a strict timeframe, CISA aims to minimize exposure and reduce attack surfaces. This proactive approach underscores the importance of vigilance in cybersecurity and the ongoing battle to stay ahead of malicious actors.
Verticals
securitytech
Originally published on Bleeping Computer on 2/23/2026