CISA Warns of Multiple Roundcube Vulnerabilities Exploited in Attacks

CISA has officially updated its Known Exploited Vulnerabilities (KEV) Catalog to include new security flaws affecting a popular webmail platform.

On February 20, 2026, the agency added two critical vulnerabilities found in Roundcube Webmail based on clear evidence that threat actors are actively exploiting them in the wild.

This update highlights the ongoing risks associated with web-based communication tools. It warns organizations to secure their email infrastructure immediately.

Two Roundcube Vulnerabilities Added

The newly added entries represent significant security gaps that allow attackers to compromise systems running vulnerable versions of the software.

The first vulnerability involves deserializing untrusted data. This type of flaw occurs when an application improperly processes user-supplied data, allowing an attacker to manipulate the application’s logic or execute arbitrary code on the server.

CVE ID	Product	Vulnerability Type	Affected Component	Impact	Severity (CVSS)*
CVE-2025-49113	Roundcube Webmail	Deserialization of Untrusted Data	PHP backend processing	Remote attackers can execute arbitrary code or manipulate application logic via crafted serialized input.	Critical
CVE-2025-68461	Roundcube Webmail	Cross-Site Scripting (XSS)	Web interface / input handling	Attackers can inject malicious scripts, potentially leading to session hijacking or data theft.	High

The second issue is a Cross-Site Scripting (XSS) vulnerability. XSS flaws typically allow adversaries to inject malicious scripts into web pages viewed by other users, often leading to session hijacking or the theft of sensitive credentials.

These vulnerabilities are considered frequent attack vectors for malicious cyber actors because webmail interfaces are often exposed to the public internet.

By exploiting these weaknesses, attackers can gain unauthorized access to email accounts, intercept sensitive communications, or establish a foothold within a broader network.

CISA has determined that these specific flaws pose a significant risk to the federal enterprise, necessitating immediate attention from security teams.

The addition of these flaws to the catalog falls under Binding Operational Directive (BOD) 22-01, titled “Reducing the Significant Risk of Known Exploited Vulnerabilities.”

This directive established the KEV catalog as a living list of CVEs that carry significant risk to the federal government.

Under this mandate, Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by specific due dates to protect federal networks against active threats.

The directive aims to shift the focus from merely managing all vulnerabilities to prioritizing those that hackers are actually using.

Although the BOD 22-01 requirements are legally binding only for FCEB agencies, CISA strongly urges all organizations to adopt a similar urgency.

Private companies, state governments, and critical infrastructure providers are advised to prioritize the timely remediation of KEV Catalog vulnerabilities as part of their standard vulnerability management practice.

Organizations using Roundcube Webmail should check for available security updates and apply patches immediately to reduce their exposure to these cyberattacks.

CISA continues to update the catalog regularly as new exploitation evidence meets its specified criteria.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.