CISA Adds Two Actively Exploited Vulnerabilities to Catalog

- The two vulnerabilities affect RoundCube Webmail, a widely used open-source webmail solution. The more severe of the two, CVE-2025-49113, is a deserialization of untrusted data vulnerability with a critical CVSS score of 9.9 out of 10. - CVE-2025-49113 allows an authenticated attacker to achieve remote code execution by manipulating a URL parameter, which could lead to a full server compromise. This flaw existed in the software for over a decade before being discovered and patched. - The second vulnerability, CVE-2025-68461, is a cross-site scripting (XSS) issue. An attacker could exploit it by sending an email with a malicious SVG image attachment, potentially allowing them to execute scripts in the victim's browser to steal session cookies or perform unauthorized actions. - Patches for these vulnerabilities have been available for some time; CVE-2025-49113 was addressed in Roundcube versions 1.5.10 and 1.6.11, and CVE-2025-68461 was fixed in versions 1.5.12 and 1.6.12. - Advanced persistent threat (APT) groups such as APT28 (also known as Fancy Bear) and Winter Vivern have a history of targeting vulnerabilities in Roundcube to steal email credentials and spy on communications. - As part of its Binding Operational Directive (BOD) 22-01, CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies must apply the necessary patches for both vulnerabilities by March 13, 2026.