Roundcube Webmail: Attacks on security vulnerabilities ongoing

The US IT security authority CISA warns of attacks on the open-source software Roundcube Webmail. It concerns a critical and a high-risk vulnerability that criminals are now apparently targeting.

The CISA warning is, as usual, extremely brief. According to the report, attacks have been observed on a vulnerability in the deserialization of untrusted data (CVE-2025-49113, CVSS 9.9, Risk “critical”) as well as a cross-site scripting vulnerability (CVE-2025-68461, CVSS 7.2, Risk “high”). How the attacks are carried out and to what extent remains unclear. However, IT managers should not hesitate and update to the latest bug-fixed version of RoundCube Webmail.

The security vulnerability, classified as “critical,” was only rated as high risk by NIST with a CVSS score of 8.8. However, an example exploit demonstrating the vulnerability's misuse already appeared at the beginning of June last year. Attackers can execute arbitrary commands on vulnerable systems through the vulnerability. A valid email account is required for this. This security vulnerability was fixed in Roundcube Webmail 1.5.10 and 1.6.11.

Roundcube Webmail: Two security vulnerabilities attacked

The second security vulnerability became known shortly before Christmas. It enables cross-site scripting attacks. The vulnerability affects the processing of the “Animate” tag in SVG files. Here too, NIST initially gave a rating of medium risk with a CVSS score of 6.1, while MITRE sees a high risk with the danger level “high” and a CVSS score of 7.2. The observed attacks apparently support the latter assessment.

IT managers should secure their systems by installing at least the bug-fixed versions 1.5.12 and 1.6.12. In these versions, the developers have closed the cross-site scripting vulnerability. CISA also does not provide any indicators of compromise (IOCs) that admins could use to check if their instances have been attacked.

(dmk)