Cyber: Cisa Adds Two Actively Exploited Roundcube Flaws To Kev Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added two security flaws impacting Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

Dubai-based cybersecurity company FearsOff, whose founder and CEO, Kirill Firsov, was credited with discovering and reporting CVE-2025-49113, said attackers have already "diffed and weaponized the vulnerability" within 48 hours of public disclosure of the flaw. An exploit for the vulnerability was subsequently made available for sale on June 4, 2025.

Firsov also noted that the shortcoming can be triggered reliably on default installations, and that it had been hidden in the codebase for over 10 years.

There are no details on who is behind the exploitation of the two Roundcube flaws. But multiple vulnerabilities in the email software have been weaponized by nation-state threat actors like APT28 and Winter Vivern.

Federal Civilian Executive Branch (FCEB) agencies are to remediate identified vulnerabilities by March 13, 2026, to secure their networks against the active threat.

Source: The Hacker News