Two security flaws in Roundcube webmail software have been added to the U.S. Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, following confirmed evidence of active exploitation in the wild.
CISA’s KEV catalog serves as a living list of vulnerabilities that federal agencies are required to patch within set timeframes. Its inclusion of a flaw signals that exploitation is not theoretical — it is happening. The addition of these two Roundcube vulnerabilities places them in company with some of the most actively targeted weaknesses tracked by the U.S. government.
One of the flaws, CVE-2025-49113, was discovered and reported by Kirill Firsov, founder and CEO of Dubai-based cybersecurity firm FearsOff. According to Firsov, attackers had already analyzed and weaponized the vulnerability within 48 hours of its public disclosure. By June 4, 2025, an exploit was available for sale. That kind of turnaround — public patch to active sale in under a week — reflects the speed at which sophisticated actors now operate once vulnerability details become available.
Firsov also noted that the flaw can be triggered reliably on default Roundcube installations, which significantly widens the potential attack surface. Perhaps more striking is how long it went unnoticed: the vulnerability had apparently been present in the codebase for over ten years.
Roundcube is a widely deployed open-source webmail client, commonly used by government agencies, academic institutions, and organizations that manage their own email infrastructure. That broad deployment footprint makes it a recurring target.
No specific threat actors have been identified in connection with the current exploitation of these two flaws. That said, Roundcube has a documented history as a target of choice for nation-state groups. APT28, the Russian military intelligence-linked hacking collective, and Winter Vivern, a threat actor with connections to Belarusian and Russian intelligence interests, have both previously weaponized Roundcube vulnerabilities in espionage campaigns. The pattern is established, even if attribution for this particular wave remains unclear.
More Read
Federal Civilian Executive Branch agencies have been given a remediation deadline of March 13, 2026, to address the identified vulnerabilities. That deadline, while over six months away, should not be read as an indication of low urgency. CISA’s KEV listings reflect active exploitation — remediation timelines are floors, not ceilings.
For organizations running Roundcube outside the federal government, the practical implication is straightforward: patch now, or accept the risk that a decade-old flaw, now publicly weaponized and commercially available as an exploit, is sitting in your environment waiting to be used.
This article is a curated summary based on third-party sources. Source: Read the original article
