Threat actors are targeting a critical and high severity vulnerability in Roundcube Webmail, which is widely used in government and higher education, according to security researchers.
The Cybersecurity and Infrastructure Security Agency on Friday added the vulnerabilities, tracked as CVE-2025-49113 and CVE-2025-68461, to its Known Exploited Vulnerabilities catalog.
The more severe flaw, CVE-2025-49113, is linked to a deserialization vulnerability in Roundcube Webmail that has remained hidden for about 10 years, according to researchers. The flaw had a severity score of 9.9.
“Roundcube is not new to this game,” Ryan Dewhurst, head of proactive threat intelligence at watchTowr, told Cybersecurity Dive. “It has been repeatedly targeted in real world exploitation campaigns for a simple reason. It’s widely used and webmail services are a goldmine.”
The flaw was disclosed in June 2025, and Shadowserver at the time reported about 84,000 instances were vulnerable. Researchers also noted that Roundcube flaws were frequently the target of attacks by state-linked hackers.
The second vulnerability, CVE-2025-68461, is related to a cross-site-scripting vulnerability. It was patched in December.
Roundcube, in a December advisory, urged users to update to fixed versions.
