The US Cybersecurity and Infrastructure Security Agency (CISA) has added a pair of Roundcube Webmail vulnerabilities to its Known Exploited Vulnerabilities Catalog, as one security researcher said webmail systems are a perfect target for hackers.
CVE-2025-49113 impacts versions of the platform from 0 before 1.5.10 and 1.6.0 before 1.6.11 and could allow remote code execution. The vulnerability was first disclosed in July 2025, and it has since been addressed by a security update. It has a CVSS score of 9.9, making it a critical severity bug.
CVE-2025-68461 was only disclosed last December and impacts versions of Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12. This is a cross-site scripting vulnerability with a CVSS score of 7.2, making it merely a high-severity vulnerability. It has also been addressed by a security update.
According to one cyber security researcher, Roundcube is no stranger to being a target for hackers.
“Roundcube is not new to this game. It has been repeatedly targeted in real-world exploitation campaigns for a simple reason,” Ryan Dewhurst, cyber security firm watchTowr’s head of proactive threat intelligence.
“It’s widely used, and webmail services are a goldmine. It gives hackers direct access to sensitive communications, credential harvesting opportunities and clean internal pivot points. There are 11 Roundcube CVEs currently listed in CISA’s KEV catalogue. That is a clear pattern.
“In 2024, CVE-2023-43770, a different stored XSS vulnerability, was listed on CISA KEV after confirmed in the wild exploitation. Just because it’s XSS, doesn’t mean that it won’t be weaponised and used.”
To make matters worse, Roundcube’s large self-hosted footprint only compounds the problem, according to Dewhurst.
“Patch adoption may lag, and attackers know this,” Dewhurst said.
“The result? A platform that has demonstrated consistent exploitation value over time. Not a one-off. Roundcube has effectively proven itself to be a reliable webmail target for threat actors.”
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.