Citing evidence of active exploitation, the U.S This article explores vulnerability cve 2025. . Cybersecurity and Infrastructure Security Agency (CISA) added two security vulnerabilities affecting Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog on Friday. CVE-2025-49113 (CVSS score: 9.9) is a vulnerability related to the deserialization of untrusted data that permits authenticated users to execute code remotely because program/actions/settings/upload.php fails to validate the _from parameter in a URL.

It was fixed in June 2025. An SVG document's animate tag contains a cross-site scripting vulnerability (CVE-2025-68461; CVSS score: 7.2).

Hackers "diffed and weaponized the vulnerability" within 48 hours of the vulnerability's public disclosure, according to FearsOff, a cybersecurity firm based in Dubai whose founder and CEO, Kirill Firsov, was credited with finding and reporting CVE-2025-49113. The vulnerability was fixed in December 2025. On June 4, 2025, an exploit for the vulnerability was subsequently released for sale.

Firsov added that the flaw had been concealed in the codebase for more than a decade and that it could be reliably triggered on default installations. The identity of the person responsible for taking advantage of the two Roundcube defects is unknown. However, nation-state threat actors like APT28 and Winter Vivern have used a number of the email software's vulnerabilities as weapons.

By March 13, 2026, Federal Civilian Executive Branch (FCEB) agencies must fix vulnerabilities found in order to protect their networks from the current threat.