好的,我现在需要帮用户总结这篇文章的内容,控制在100字以内。首先,我得通读整篇文章,抓住关键点。 文章主要讲的是美国CISA机构将RoundCube Webmail的两个漏洞加入到了已知被利用的漏洞目录中。这两个漏洞分别是CVE-2025-49113和CVE-2025-68461,评分分别为9.9和7.2。前者是一个反序列化漏洞,影响了超过5300万个主机,后者是一个跨站脚本漏洞。CISA要求联邦机构在2026年3月10日前修复这些漏洞。 接下来,我需要将这些信息浓缩到100字以内。要确保涵盖CISA、RoundCube、两个漏洞、评分、影响范围以及修复期限这几个关键点。 可能的结构是:先点明CISA的动作,然后列出两个漏洞及其评分,接着说明影响范围和修复时间。这样既简洁又全面。 最后检查一下字数是否符合要求,并确保语句通顺。 </think> 美国网络安全和基础设施安全局(CISA)将RoundCube Webmail的两个高危漏洞(CVE-2025-49113和CVE-2025-68461)加入已知被利用漏洞目录。这些漏洞分别涉及反序列化和跨站脚本攻击,影响广泛且风险严重。CISA要求联邦机构在2026年3月10日前修复这些漏洞以防范攻击。 2026-2-21 11:19:44 Author: securityaffairs.com(查看原文) 阅读量:14 收藏
U.S. CISA adds RoundCube Webmail flaws to its Known Exploited Vulnerabilities catalog
Pierluigi Paganini
February 21, 2026
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds RoundCube Webmail flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two RoundCube Webmail flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
- CVE-2025-49113 (CVSS score of 9.9) RoundCube Webmail Deserialization of Untrusted Data Vulnerability
- CVE-2025-68461 (CVSS score: 7.2) RoundCube Webmail Cross-site Scripting Vulnerability
Roundcube is a popular webmail platform and has been repeatedly targeted by advanced threat groups like APT28 and Winter Vivern. In the past, attackers exploited these vulnerabilities to steal login credentials and spy on sensitive communications. These campaigns show how unpatched systems remain a serious risk, especially for high-value targets.
The critical flaw CVE-2025-49113 is a deserialization of untrusted data vulnerability. The flaw went unnoticed for over a decade, an attacker can exploit it to take control of affected systems and run malicious code, putting users and organizations at significant risk. Kirill Firsov, founder and CEO of FearsOff, discovered the vulnerability.
“Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.” reads the advisory published by NIST.
The vulnerability has been addressed in 1.6.11 and 1.5.10 LTS.
At the time of the discovery, Firsov estimated that the flaw was impacting over 53 million hosts (and tools like cPanel, Plesk, ISPConfig, DirectAdmin, etc.),
Researchers at Positive Technologies announced they have reproduced CVE-2025-49113 in Roundcube. The experts urge users to update to the latest version of Roundcube immediately.
The second flaw, tracked as CVE-2025-68461, added to the Kev catalog is a cross-site scripting vulnerability.
“Roundcube Webmail before 1.5.12 and 1.6 before 1.6.12 is prone to a Cross-Site-Scripting (XSS) vulnerability via the animate tag in an SVG document.” reads the advisory.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by March 10, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
如有侵权请联系:admin#unsafe.sh