"The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added two security flaws impacting Roundcube webmail software to its Known Exploited Vulnerabilities ( KEV) catalog, citing evidence of active exploitation. CVE-2025-49113 (CVSS score: 9.9) - A deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php. (Fixed in June 2025)"
"Dubai-based cybersecurity company FearsOff, whose founder and CEO, Kirill Firsov, was credited with discovering and reporting CVE-2025-49113, said attackers have already " diffed and weaponized the vulnerability" within 48 hours of public disclosure of the flaw. An exploit for the vulnerability was subsequently made available for sale on June 4, 2025."
"Firsov also noted that the shortcoming can be triggered reliably on default installations, and that it had been hidden in the codebase for over 10 years. There are no details on who is behind the exploitation of the two Roundcube flaws. But multiple vulnerabilities in the email software have been weaponized by nation-state threat actors like APT28 and Winter Vivern."
CISA added two Roundcube webmail vulnerabilities to its Known Exploited Vulnerabilities catalog due to evidence of active exploitation. CVE-2025-49113 is a deserialization of untrusted data vulnerability with a CVSS score of 9.9 that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php; it was fixed in June 2025. CVE-2025-68461 is a cross-site scripting vulnerability via the animate tag in an SVG document with a CVSS score of 7.2; it was fixed in December 2025. FearsOff reported attackers diffed and weaponized CVE-2025-49113 within 48 hours, and an exploit was offered for sale on June 4, 2025. The flaw can be triggered reliably on default installations and had existed in the codebase for over ten years. No attribution for exploitation is available, though nation-state actors have previously weaponized Roundcube vulnerabilities. Federal Civilian Executive Branch agencies must remediate identified vulnerabilities by March 13, 2026.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]