Roundcube Under Fire: CISA Issues Emergency Patch Order for State-Sponsored Exploits

If you’re running a Roundcube Webmail server and didn’t spend your Friday patching, your weekend just got a lot shorter. Yesterday, the Cybersecurity and Infrastructure Security Agency (CISA) added a duo of Roundcube flaws to its "Must-Patch" list, following confirmed reports of state-sponsored actors—including the notorious APT28 (Fancy Bear)—weaponizing them for silent data exfiltration.

The Vulnerabilities: A Deadly Double-Feature

The two flaws represent a "one-two punch" that can lead to total server takeover:

  1. CVE-2025-49113 (CVSS 9.9 - Critical): A high-severity PHP Object Deserialization flaw. By manipulating the _from parameter in a specific URL, an authenticated attacker can bypass traditional security logic to execute arbitrary code on the underlying server.
  2. CVE-2025-68461 (CVSS 7.2 - High): A clever Cross-Site Scripting (XSS) vulnerability hidden within SVG "animate" tags. An attacker simply sends a specially crafted email with a malicious SVG attachment; when the victim previews it, the script triggers, allowing the attacker to steal session cookies or hijack the entire account.

Why Roundcube? Why Now?

Roundcube remains one of the most popular open-source IMAP clients globally, making it a "high-yield" target for espionage. CISA’s update yesterday isn't just a suggestion—it’s a directive born from the reality that these aren't theoretical bugs anymore. They are active "Skeleton Keys" being used to unlock corporate and government mailboxes.

The Hacklido Takeaway

For the red-teamers and researchers in our community, this is a masterclass in Logic-Based Exploitation. As automated scanners get better at finding buffer overflows, these application-level deserialization and SVG rendering flaws are where the real "bounties" are found in 2026.

For the Blue Teamers:

  • Version Check: If you are on 1.6.x earlier than 1.6.11 or 1.5.x earlier than 1.5.10, you are currently "in-scope" for exploitation.
  • Update Path: Move immediately to Version 1.6.13 or 1.5.13 to clear both these flaws and a secondary CSS injection bug (CVE-2026-26079) that surfaced earlier this week.
  • Segment your Mail: As always, ensure your webmail frontend is isolated from your core internal database network.


Hacklido Quick-Tip: Check your building's HVAC! The LonTalk protocol advisory also hit yesterday—thousands of commercial building controllers are currently exposed to the web with unpatchable default MD5 keys. Your air conditioning might be your most vulnerable network node this week.


Stay ahead. Stay dangerous.

Team Hacklido ❤️

Join our Community – https://t.me/hacklido