CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Two Actively Exploited Roundcube Vulnerabilities Added to CISA KEV Catalog

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

CISA added two vulnerabilities in Roundcube webmail software to its KEV catalog, citing active exploitation. CVE-2025-49113 (CVSS 9.9) allows remote code execution via untrusted data deserialization, while CVE-2025-68461 (CVSS 7.2) is a cross-site scripting flaw. Both vulnerabilities were patched in 2025, but exploits have been developed and sold. The flaws have been linked to nation-state actors in the past. FCEB agencies must remediate by March 13, 2026. Over 84,000 vulnerable Roundcube webmail installations were identified shortly after the patch for CVE-2025-49113 was released, and CVE-2025-68461 can be exploited through low-complexity XSS attacks abusing the animate tag in SVG documents.

Timeline

  1. 21.02.2026 09:21 2 articles · 3d ago

    CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog

    CISA added CVE-2025-49113 and CVE-2025-68461 to its KEV catalog due to active exploitation. CVE-2025-49113 allows remote code execution and was weaponized within 48 hours of disclosure. CVE-2025-68461 is a cross-site scripting flaw. FCEB agencies must remediate by March 13, 2026. Over 84,000 vulnerable Roundcube webmail installations were identified shortly after the patch for CVE-2025-49113 was released, and CVE-2025-68461 can be exploited through low-complexity XSS attacks abusing the animate tag in SVG documents.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog with four new vulnerabilities that are being actively exploited in the wild. The vulnerabilities affect Synacor Zimbra Collaboration Suite, Versa Concerto SD-WAN, Vite Vitejs, and eslint-config-prettier. Federal agencies are required to apply patches by February 12, 2026. The vulnerabilities include a PHP remote file inclusion flaw, an authentication bypass, an improper access control issue, and a supply chain attack involving malicious code execution. Exploitation of one of the vulnerabilities, CVE-2025-68645, has been ongoing since January 14, 2026. CVE-2025-31125 affects only exposed dev instances and has been patched in versions 6.2.4, 6.1.3, 6.0.13, 5.4.16, and 4.5.11. CVE-2025-34026 is caused by a Traefik reverse proxy misconfiguration that allows access to administrative endpoints, including the internal Actuator endpoint, exposing heap dumps and trace logs. Affected products for CVE-2025-34026 are Concerto 12.1.2 through 12.2.0, although additional versions may also be impacted. Researchers at cybersecurity company ProjectDiscovery reported the issues to the vendor on February 13, 2025, and Versa Concerto confirmed to BleepingComputer that they had fixed them on March 7, 2025. Installing an affected package (versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7) for CVE-2025-54313 would run a malicious install.js script that launched the node-gyp.dll payload on Windows to steal npm authentication tokens. CVE-2025-68645 is a local file inclusion vulnerability in the Webmail Classic UI of Zimbra Collaboration Suite 10.0 and 10.1 caused by improper handling of user-supplied parameters in the RestFilter servlet.

Open in new tab

Fortinet FortiWeb Vulnerabilities Exploited in the Wild

Fortinet has disclosed a new medium-severity vulnerability (CVE-2025-58034) in FortiWeb, which is being actively exploited. This vulnerability, with a CVSS score of 6.7, allows authenticated attackers to execute unauthorized code via crafted HTTP requests or CLI commands. The flaw was patched in version 8.0.2. Additionally, Fortinet silently patched another critical FortiWeb vulnerability (CVE-2025-64446, CVSS score: 9.1) in the same version. Exploitation campaigns have been observed chaining these vulnerabilities to facilitate authentication bypass and command injection. Fortinet's handling of these disclosures has been criticized for its delayed and fragmented approach. This development highlights the ongoing risks associated with unpatched vulnerabilities in network security appliances and the importance of timely and transparent disclosure practices.

Open in new tab

Oracle Identity Manager RCE Flaw CVE-2025-61757 Exploited in Attacks

CISA has warned that a pre-authentication remote code execution (RCE) flaw in Oracle Identity Manager, tracked as CVE-2025-61757, is being actively exploited in attacks. The vulnerability stems from an authentication bypass in the REST APIs, allowing attackers to execute malicious code. The flaw was patched by Oracle in October 2025, but evidence suggests it may have been exploited as early as August 30. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch it by December 12. Researchers from Searchlight Cyber discovered the flaw, describing it as trivial and easily exploitable. Multiple IP addresses have been observed scanning for the vulnerability, all using the same user agent. The flaw involves gaining access to a Groovy script compilation endpoint to execute malicious code. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Identity Manager. Attackers can manipulate authentication flows, escalate privileges, and move laterally across an organization's core systems. The IP addresses 89.238.132[.]76, 185.245.82[.]81, and 138.199.29[.]153 were observed scanning for the vulnerability. The flaw was revealed by Searchlight Cyber on November 20 and added to CISA's KEV catalog on November 21. The vulnerability lies in the REST WebServices component of Oracle Identity Manager and has a CVSS severity score of 9.8. The flaw was discovered during an investigation of a breach affecting Oracle Cloud's login service, where a threat actor exploited an older vulnerability, CVE-2021-35587.

Open in new tab

Sudo Vulnerability CVE-2025-32463 Actively Exploited in Linux and Unix Systems

A critical security flaw in the Sudo command-line utility for Linux and Unix-like operating systems, identified as CVE-2025-32463, is being actively exploited. This vulnerability affects Sudo versions 1.9.14 through 1.9.17 and allows local attackers to run arbitrary commands as root, even if they are not listed in the sudoers file. The flaw was disclosed in July 2025 and added to CISA's Known Exploited Vulnerabilities (KEV) catalog on September 30, 2025. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has advised Federal Civilian Executive Branch (FCEB) agencies to apply necessary mitigations by October 20, 2025, to secure their networks. The vulnerability was disclosed by Stratascale researcher Rich Mirch in July 2025. The flaw affects sudo versions 1.9.14 through 1.9.17 and has received a critical severity score of 9.3 out of 10. A proof-of-concept exploit for the CVE-2025-32463 flaw was released on July 4, 2025, and additional exploits have circulated publicly since July 1, 2025.

Open in new tab

Critical deserialization flaw in GoAnywhere MFT (CVE-2025-10035) patched

The critical deserialization vulnerability (CVE-2025-10035) in GoAnywhere MFT has been actively exploited by the cybercrime group Storm-1175 in Medusa ransomware attacks since at least September 11, 2025. This flaw, rated 10.0 on the CVSS scale, allows for arbitrary command execution if the system is publicly accessible over the internet. Fortra has released patches in versions 7.8.4 and 7.6.3. The vulnerability was disclosed on September 18, 2025, but exploitation began a week earlier. The Shadowserver Foundation is monitoring over 513 GoAnywhere MFT instances exposed online, although the number of patched instances is unknown. The flaw impacts the same license code path as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit. The vulnerability enables an attacker to bypass signature verification by crafting a forged license response signature, allowing the deserialization of arbitrary, attacker-controlled objects. Successful exploitation could result in command injection and potential remote code execution (RCE) on the affected system. The threat actor used legitimate remote monitoring and management (RMM) tools SimpleHelp and MeshAgent to launch binaries following exploitation. The threat actor utilized RMM tools to establish command-and-control (C2) infrastructure and set up a Cloudflare tunnel for secure C2 communication. The deployment and execution of Rclone was observed in at least one victim environment during the exfiltration stage. Medusa ransomware has over 300 global victims in critical infrastructure sectors, including a confirmed attack on a US healthcare organization in early 2025. Fortra began investigating the vulnerability on September 11, 2025, following a customer report. Fortra contacted on-premises customers with publicly accessible admin consoles and notified law enforcement on September 11, 2025. A hotfix for versions 7.6.x, 7.7.x, and 7.8.x was released on September 12, 2025. Full patches for versions 7.6.3 and 7.8.4 were released on September 15, 2025. The CVE for the vulnerability was formally published on September 18, 2025. Fortra confirmed a limited number of reports of unauthorized activity related to CVE-2025-10035. Fortra recommends restricting admin console access over the internet and enabling monitoring. watchTowr CEO and founder Benjamin Harris reiterated the need for transparency from Fortra regarding the private keys used in the exploit.

Open in new tab