CISA Lit the Flare on Roundcube, and the Swamp Still Wants a Meeting
United States – February 23, 2026 – CISA put Roundcube on the KEV list, and the compliance clowns still want a meeting while hackers smell profit.
You know that burnt-electronics smell, like an overheated router gasping for mercy in a broom closet? That is the aroma of a weekend getting sacrificed to a blinking server rack. And it is back, because email is still the front door to the whole house. The burglars know it, and they love it.
CISA just put Roundcube on the bullseye
This is not a pretend panic. Two Roundcube Webmail flaws, CVE-2025-49113 and CVE-2025-68461, are now in CISA’s Known Exploited Vulnerabilities ecosystem. Translation into F-150 language: when it hits KEV, it is not a polite suggestion. It is the red flare that says people are getting popped.
Per KEV metadata reflected in NIST’s National Vulnerability Database, federal agencies have a remediation due date of March 13, 2026. That is a deadline with teeth, not a “nice-to-have.”
What the two bugs mean
- CVE-2025-49113: the nasty one. Under certain conditions, it can lead to remote code execution in unpatched Roundcube setups. It was patched on June 1, 2025, which means folks had time to do the simplest job in tech: update the software.
- CVE-2025-68461: a cross-site scripting problem tied to the
animatetag in an SVG document. Roundcube shipped fixes in December 2025 via security updates 1.6.12 and 1.5.12.
The real vulnerability: “later”
Here is where the grease starts popping. Patch Tuesday comes. A ticket gets created. Then come the sacred rituals: maintenance windows, change boards, risk assessments, and the words that should be illegal in an IT department: “we will circle back.” While the suits are circling, the bad guys are sprinting.
What to do instead of scheduling another meeting
Email is resets, MFA prompts, invoices, HR, payroll, and keys to everything duct-taped to the internet. So if you run Roundcube anywhere in your orbit, the correct response is simple:
- Patch the webmail and confirm the version.
- Verify what changed and that fixes actually landed.
- Hunt for signs of compromise and review logs.
- Rotate credentials if you have any reason to suspect compromise.
- Reduce exposure. If you do not know what you are running, that is not a mystery, it is negligence.
Stop treating cybersecurity like a quarterly training video. Treat it like changing the oil. Skip it long enough, and you do not get a gentle warning. You get a blown engine on the highway, and everybody behind you pays the price.