"This was the case in June last year with CVE-2025-49113 (CVSS score of 9.9), a post-authentication remote code execution (RCE) issue that was added to CISA's Known Exploited Vulnerabilities (KEV) catalog on Friday. The critical bug was introduced over a decade ago and impacts all RoundCube versions 1.1.0 through 1.6.10, allowing attackers to include a payload in the name of files to be uploaded, leading to data being injected in the current session."
"On Friday, CISA warned that, in addition to CVE-2025-49113, threat actors have been exploiting CVE-2025-68461 (CVSS score of 7.2), a high-severity RoundCube vulnerability patched in December 2025. The flaw, an XSS issue exploitable via the animate tag in an SVG document, was resolved in Webmail versions 1.6.12 and 1.5.12. The vulnerable RoundCube releases did not properly sanitize malicious payloads that could be embedded in the animate tag, allowing attackers to execute code in the context of the victim's browser session without user interaction."
CISA warned that threat actors are actively exploiting two RoundCube Webmail vulnerabilities, CVE-2025-49113 and CVE-2025-68461. CVE-2025-49113 is a post-authentication remote code execution flaw (CVSS 9.9) affecting versions 1.1.0 through 1.6.10, allowing attackers to embed payloads in uploaded file names and inject data into the session. The defect was patched on June 1, 2025, and exploit code appeared shortly after with claims that required credentials could be brute forced. CVE-2025-68461 is a high-severity XSS issue (CVSS 7.2) exploitable via the animate tag in SVG, fixed in versions 1.6.12 and 1.5.12. CISA directed federal agencies to patch both flaws within three weeks under BOD 22-01 and advised organizations to prioritize KEV catalog entries.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]