The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included two significant vulnerabilities affecting Roundcube webmail software in its Known Exploited Vulnerabilities (KEV) catalog. Notably, the vulnerabilities are linked to CVE-2025-49113, which has a high CVSS score of 9.9, indicating a critical risk. This deserialization of untrusted data flaw allows attackers to execute remote code, potentially compromising sensitive data and systems for organizations that utilize Roundcube for email management.
For businesses, the addition of these vulnerabilities to the KEV catalog serves as a crucial alert to prioritize immediate patching and remediation efforts. Organizations using Roundcube should assess their systems for these vulnerabilities and implement updates as soon as possible to mitigate the risk of exploitation. The significance of this development underscores the ongoing challenge of maintaining cybersecurity in the face of evolving threats, particularly as attackers increasingly target widely used software. Addressing these vulnerabilities not only protects organizational data but also enhances overall cybersecurity posture in a landscape where such flaws are often the gateway for more severe attacks.
---
*Originally reported by [The Hacker News](https://thehackernews.com/2026/02/cisa-adds-two-actively-exploited.html)*