Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities affecting Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog. These vulnerabilities are actively being exploited, posing significant security risks.

Key Points

• CISA added two Roundcube vulnerabilities to its KEV catalog on Friday.
• The vulnerabilities include CVE-2025-49113, which has a CVSS score of 9.9.
• CVE-2025-49113 is a deserialization of untrusted data vulnerability allowing remote code execution.
• Evidence of active exploitation of these vulnerabilities has been cited.

Analysis

The inclusion of these vulnerabilities in the KEV catalog underscores their critical nature and the immediate threat they pose due to active exploitation. With a CVSS score of 9.9, CVE-2025-49113 represents a severe risk, particularly as it allows for remote code execution, which can lead to unauthorized access and control over affected systems. This highlights the urgent need for organizations using Roundcube to assess their systems and apply necessary patches or mitigations.

Conclusion

IT professionals should prioritize reviewing and securing systems running Roundcube webmail software. Immediate actions include applying available patches and monitoring for any signs of exploitation to mitigate potential risks.