CISA Adds Two Actively Exploited Vulnerabilities in Roundcube to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two actively exploited vulnerabilities in Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog on Friday. The flaws include CVE-2025-49113, a deserialization of untrusted data vulnerability with a CVSS score of 9.9, which allows remote code execution. Evidence of active exploitation prompted the inclusion in the KEV catalog, though the specific attack vectors or threat actors were not disclosed. No additional technical details or affected versions were provided beyond the CVE identifier and severity score. The action underscores the urgency for organizations using Roundcube to address these vulnerabilities.