Critical Remote Code Execution Flaws in Roundcube Webmail

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities affecting Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog, highlighting their active exploitation in the wild. The disclosed vulnerability, CVE-2025-49113, carries a CVSS score of 9.9, indicating extreme severity due to its remote code execution capability, which allows attackers to execute arbitrary commands on affected systems. This flaw underscores the importance of securing webmail platforms, as such vulnerabilities can lead to complete system compromise, data breaches, and unauthorized access. Roundcube users are strongly advised to update their installations immediately to mitigate these risks. The inclusion of these flaws in CISA's KEV list emphasizes the agency's focus on actively exploited threats, helping organizations prioritize remediation efforts. Given the critical nature of these vulnerabilities and their potential impact on organizational security, immediate action is essential to prevent exploitation.