On February 20, 2026, CISA added CVE-2025-68461 to its Known Exploited Vulnerabilities (KEV) catalog - the US government's authoritative signal that a vulnerability has moved from theoretical risk to confirmed, real-world exploitation. The flaw sits inside Roundcube Webmail, a widely deployed open-source email client bundled with cPanel and used across thousands of enterprise and shared hosting environments globally.
This is not an isolated event. CISA added CVE-2025-68461 alongside companion flaw CVE-2025-49113 on the same day, confirming that threat actors are operating across both vulnerabilities - and that Roundcube has become active hunting ground.
What Is CVE-2025-68461?
CVE-2025-68461 is a Cross-Site Scripting (XSS) vulnerability classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). It carries a CVSSv3 score of 7.2 (High) and affects all Roundcube Webmail versions prior to 1.5.12 and 1.6.12.
The root cause is a broken HTML/SVG sanitizer. Roundcube's message rendering engine fails to neutralize dangerous content within the <animate> tag inside SVG documents. Specifically, keyframe and values attributes inside SVG animate tags can accept URL-style inputs - and the downstream sanitizer does not strip javascript: payloads embedded within them.
When a user opens a crafted email carrying a malicious SVG attachment or inline SVG block, the browser executes the embedded script in the context of the active Roundcube session. The attacker gains access to the DOM, session cookies, authentication tokens, and every client-side API Roundcube exposes - all without any prior authentication or credentials.
Exploitation requires zero privileges and zero user interaction beyond opening the email. The CVSS vector confirms it: AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N.
What an Attacker Can Do
Once the injected script runs in the victim's browser session, the impact is wide and stealthy:
- Silent account takeover - full access to the victim's inbox without triggering a login alert
- Mail exfiltration - reading, downloading, or forwarding sensitive email content
- Contact harvesting - extracting the address book for follow-on phishing
- Composing emails from the victim's account - enabling business email compromise (BEC) without touching the mail server
- Persistent backdoors - injecting scripts that survive across sessions via contact lists or signatures
- Lateral movement - using harvested credentials and session tokens to pivot to connected systems
This is why security researchers describe XSS in webmail clients as more dangerous in practice than it appears on paper. The browser session is where authentication lives. Compromise it, and every downstream security control is bypassed.
The Exploit Chain: XSS to One-Click RCE
CVE-2025-68461 does not exist in isolation. Researchers have publicly demonstrated a chained exploit combining it with the companion critical flaw CVE-2025-49113 - a deserialization RCE bug rated CVSS 9.9, also confirmed in CISA KEV.
The attack chain works as follows: CVE-2025-68461 delivers the initial XSS payload through a malicious email. That XSS session-hijacks an authenticated user and weaponizes CVE-2025-49113's deserialization path - turning a client-side script injection into remote code execution on the underlying mail server in a single click.
No brute force. No separate intrusion step. One email, one click, full server compromise.
The Timeline
| Date | Event |
|---|---|
| December 13, 2025 | Roundcube releases security updates 1.6.12 and 1.5.12, patching CVE-2025-68461 |
| December 18, 2025 | CVE formally published by MITRE / NVD |
| February 20, 2026 | CISA adds CVE-2025-68461 to KEV catalog, confirming active exploitation |
| March 13, 2026 | CISA mandatory remediation deadline for all US Federal Civilian Executive Branch (FCEB) agencies |
The gap between patch release (December 13) and CISA KEV confirmation (February 20) - nearly 10 weeks - indicates exploitation was underway against organizations that had not yet updated.
Attack Surface: Tens of Thousands of Exposed Instances
The scale of exposure is significant. ZoomEye scans identified over 642,000 publicly exposed Roundcube instances globally at time of disclosure. Internet-wide reconnaissance scans targeting Roundcube spiked 300% following the CISA KEV addition, per Shadowserver data - a direct sign of threat actors probing the exposure window.
Roundcube is especially prevalent in:
- cPanel-based shared hosting environments
- Government and education webmail deployments
- Eastern European and Central Asian enterprise infrastructure
- Self-hosted corporate email setups
Historically, this exact infrastructure profile has been targeted by APT28 (Fancy Bear) and Winter Vivern, both of which have previously weaponized Roundcube XSS vulnerabilities for espionage campaigns against government and diplomatic targets. CISA has not publicly attributed the current exploitation campaign.
Roundcube's History as APT Bait
This is not the first time Roundcube has featured in CISA's KEV catalog. The same catalog carries multiple prior Roundcube entries - CVE-2020-13965, CVE-2023-43770, CVE-2023-5631, CVE-2024-37383, CVE-2024-42009 - forming a clear pattern: Roundcube is persistently targeted by sophisticated threat actors because it handles email, and email is the crown jewels.
Session cookies. Authentication tokens. MFA fatigue vectors. Business correspondence. Credentials in plain text. Webmail is where initial access becomes everything else.
Patch and Mitigation
Primary action: Update Roundcube to 1.6.12 (1.6.x branch) or 1.5.12 (1.5.x branch) immediately. These are the only complete remediations.
How to verify your version: Admin panel → About → Check Roundcube version string
If you cannot patch immediately, apply these compensating controls:
- Block public internet access to Roundcube login interfaces - restrict to VPN or trusted IP ranges
- Deploy Content Security Policy (CSP) headers -
script-src 'self'reduces XSS blast radius (mitigation only, not a fix) - Strip or reject SVG attachments at the mail gateway level
- Implement a Web Application Firewall (WAF) with XSS rulesets covering SVG injection patterns
- Audit logs for anomalous activity in email sessions - unexpected mail forwards, unusual access times, unfamiliar IPs
Fedora users: Distribution-level patches for Fedora 42 and 43 are already available. Apply via standard package management.
Debian/Ubuntu users: Distro-maintained packages have been updated - check your package manager for the latest Roundcube version.
Federal Deadline
Under CISA's Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies must remediate CVE-2025-68461 by March 13, 2026. Non-compliance means operating a confirmed, actively exploited vulnerability on federal networks past a mandated deadline.
For private sector organizations, BOD 22-01 is advisory - but CISA's urgency language extends clearly beyond federal walls.
Bottom Line
CVE-2025-68461 is an actively exploited XSS zero-day in Roundcube Webmail, confirmed by CISA in its KEV catalog. A single malicious email, requiring no credentials or user interaction beyond opening it, can silently take over a victim's email account - and when chained with CVE-2025-49113, escalates to full remote code execution on the mail server.
Patches have been available since December 13, 2025. The window between patch availability and your remediation date is your exposure window. Close it.
Priority: Critical for any organization running internet-exposed Roundcube. Mandatory for FCEB agencies by March 13, 2026.
---
Sources:
- CISA Known Exploited Vulnerabilities Catalog (February 20, 2026)
- Roundcube Security Advisory - 1.6.12 / 1.5.12 (December 13, 2025)
- The Hacker News - CVE-2025-68461 / CVE-2025-49113 KEV Coverage
- SecurityWeek - Roundcube Exploitation Report
- Shadowserver Foundation - Scan Spike Data
- Windows Forum / FearsOff - Exploit Chain Technical Analysis
- NVD / MITRE CVE Record - CVE-2025-68461
- ZoomEye - Roundcube Exposure Scan Data