CISA Warns of Active Exploitation Targeting Roundcube Webmail Vulnerabilities

CISA is warning of active exploitation of two security vulnerabilities in Roundcube Webmail, a widely used open-source webmail solution. 

Vulnerabilities summary:

• CVE-2025-49113 (CVSS score 9.9) - A deserialization of untrusted data vulnerability that allows authenticated attackers to run arbitrary commands on the host system. By exploiting how the application processes serialized objects, an attacker with a valid email account can trigger remote code execution to take full control of the server.
• CVE-2025-68461 (CVSS score 7.2) - A cross-site scripting (XSS) vulnerability residing in the processing of the "Animate" tag within SVG files. Attackers can send malicious SVG attachments that, when viewed by a user, execute arbitrary JavaScript in the context of the victim's browser session. 

Public exploit code for the deserialization flaw is circulating since June 2025. Roundcube initially patched the RCE issue in versions 1.5.10 and 1.6.11, but the later discovery of the XSS flaw required additional security releases. 

Administrators must update Roundcube Webmail to versions 1.5.12 or 1.6.12 ASAP. Restricting network access to the webmail interface is a possible temporary fix, but not realistic since it's by design part of the public service of the web application.