The March 13 Deadline: CISA Demands Immediate Action on Roundcube Webmail

By: Nandhana.M | February 23, 2026

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has effectively declared a "patch or perish" window for users of Roundcube Webmail. Following evidence of aggressive, real-world exploitation by nation-state actors, CISA added two critical flaws to its Known Exploited Vulnerabilities (KEV) catalog on Friday, February 20.

For federal agencies, the directive is a legal mandate: remediate CVE-2025-49113 and CVE-2025-68461 by March 13, 2026. For the private sector, it's a final warning before a full-scale breach.

The "One-Two Punch" Threat

The vulnerabilities added to the KEV catalog represent two distinct, high impact attack vectors that are currently being chained by threat groups:

  • The RCE (CVE-2025-49113 - CVSS 9.9): A critical PHP Object Deserialization flaw. Authenticated attackers can manipulate the _from parameter in a URL to execute arbitrary code on the underlying server. Shockingly, this bug remained hidden in the codebase for over a decade before being discovered and weaponized.
  • The XSS (CVE-2025-68461 - CVSS 7.2): A high-severity Cross-Site Scripting vulnerability triggered via the <animate> tag in SVG documents. This allows attackers to steal session cookies and hijack accounts simply by having a victim preview a malicious email.

The Nation-State Connection

Why is CISA moving so aggressively? Roundcube has long been a "crown jewel" target for advanced persistent threats (APTs). Groups like APT28 (Fancy Bear) and Winter Vivern have historically targeted Roundcube to gain a foothold in government and diplomatic networks.

Security researchers warned today that exploit code for the RCE flaw was being traded on underground forums within 48 hours of its initial disclosure last year. The recent surge in activity suggests that these "old" patches are being bypassed by organizations that failed to update, or by attackers finding new ways to trigger the logic.

The Hacklido Takeaway

For the researchers and red-teamers at Hacklido, this is a masterclass in Supply Chain Fragility. Roundcube is the default mail interface for millions of users via control panels like cPanel, Plesk, and DirectAdmin. If your hosting provider hasn't updated their stack, you are vulnerable.

Emergency Checklist:

  1. Verify Your Build: You are vulnerable if you are running version 1.6.x earlier than 1.6.12 or 1.5.x earlier than 1.5.12.
  2. Patch to v1.6.13 / v1.5.13: While CISA focused on the KEV items, a new CSS injection bug (CVE-2026-26079) was disclosed earlier this month. Moving to the latest .13 release fixes all three major Feb 2026 threats.
  3. Audit SVG Handling: If possible, disable SVG rendering in your webmail configuration until the patch is verified.

Stay ahead. Stay dangerous.

Team Hacklido ❤️

Join our Community – https://t.me/hacklido