Two critical vulnerabilities affecting Roundcube Webmail, a widely deployed web-based email client (commonly bundled with cPanel), have been confirmed as actively exploited in the wild. The vulnerabilities, CVE-2025-49113 and CVE-2025-68461, were recently added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Roundcube is heavily used in shared hosting environments and enterprise webmail deployments, significantly increasing the potential attack surface. Internet-wide scans indicate tens of thousands of exposed instances, making this a high-priority threat for organizations relying on webmail infrastructure.
Vulnerability Details
CVE-2025-49113: Remote Code Execution (RCE)
This vulnerability allows attackers to execute arbitrary code on the underlying server. It was first observed being exploited shortly after disclosure, with over 84,000 vulnerable instances identified at the time.
CVE-2025-68461: Cross-Site Scripting (XSS)
A flaw in the handling of SVG content (specifically the animate tag) allows unauthenticated attackers to inject malicious scripts via low-complexity payloads.
Both vulnerabilities affect Roundcube versions 1.5.x and 1.6.x prior to patched releases.
Threat Activity & Context
CISA’s inclusion of these vulnerabilities in the KEV catalog confirms active exploitation by threat actors. While specific campaigns have not been publicly detailed, historical patterns indicate that Roundcube vulnerabilities are frequently leveraged by both cybercriminal groups and state-sponsored actors.
Notably:
- Roundcube has previously been targeted by APT28 and Winter Vivern
- Past exploitation campaigns focused on government entities and high-value email communications
- Webmail platforms are attractive targets due to their role in credential harvesting, persistence, and lateral movement
Given this context, exploitation of these vulnerabilities is highly likely to support initial access, email interception and surveillance and/or credential theft and session hijacking.
Exposure Conditions
Organizations may be at risk if Roundcube Webmail is exposed to the internet, particularly when running versions prior to 1.6.12 or 1.5.12.
The risk increases in environments where users regularly interact with untrusted or external email content, as this can facilitate exploitation of client-side vulnerabilities such as XSS.
Additionally, insufficient network segmentation, where webmail servers are not properly isolated from internal systems, can allow attackers to move laterally and expand their access following initial compromise.
Recommended Actions
- Immediately update Roundcube to versions 1.6.12 or 1.5.12 or later
- Restrict public access to webmail interfaces where possible
- Implement web application firewall (WAF) protections
- Sanitize and filter incoming email content, especially SVG files
- Enforce strong authentication controls, including MFA
Stay Safe. Stay Secure
OP Innovate Research Team
