CISA Slaps Two Roundcube Bombshells on KEV List – Hackers Already Pouncing
Hey devs, CISA just dropped two nasty Roundcube webmail flaws into its Known Exploited Vulnerabilities catalog because attackers are actively hammering them. The big one, a 9.9 CVSS remote code execution bug, got weaponized in under 48 hours after disclosure – talk about fast fashion for exploits.
The Gory Details
We’re talking CVE-2025-49113, a deserialization flaw in the upload.php file that lets authenticated users run arbitrary code via a dodgy _from parameter. It was lurking in the codebase for over 10 years, fixed in Roundcube 1.5.10 and 1.6.11 back in June 2025. Dubai’s FearsOff crew spotted it, and boom – exploits hit the black market by June 4.
Then there’s CVE-2025-68461, a 7.2 CVSS XSS via sneaky SVG animate tags, patched in 1.5.12 and 1.6.12 last December. Roundcube powers tons of setups like cPanel, Plesk, and more – researchers say it hit over 53 million hosts at discovery. Nation-states like APT28 and Winter Vivern have abused similar holes before for credential theft and spying. Feds have until March 13, 2026, to patch, but everyone’s urged to move now.
Why Devs Should Sweat This
If you’re running Roundcube anywhere – email servers, hosting panels, you name it – this is your wake-up call. Default installs are sitting ducks, and with exploits flying, one missed patch means RCE city. Web devs, check your stacks; these aren’t theoretical – they’re live fire. Prioritize patching over that new feature; unpatched email is a hacker’s VIP lounge.
Final Take
Roundcube’s a staple, but this proves even old code hides killers. Update yesterday, scan your logs, and maybe audit those uploads. Stay sharp out there – cyber’s a battlefield, not a playground.
