RoundCube Webmail CVE-2025-49113 & CVE-2025-68461 — CISA KEV Chained Exploitation

Threat ID: TL-2026-0130 | Severity: CRITICAL | Status: ACTIVE

Actor: Winter Vivern/TAG-70, APT28/Fancy Bear | Nation: Russia | Motivation: ESPIONAGE

MITRE Techniques: 26 | Detections: 9 | IOCs: Behavioral

---

Roundcube — the open-source webmail client running on thousands of government and university mail servers — has a stored XSS chain that APT groups are actively exploiting.

On February 20, 2026, CISA added two RoundCube Webmail vulnerabilities to the Known Exploited Vulnerabilities catalog under BOD 22-01. CVE-2025-49113 (CVSS 9.9) enables post-authentication remote code execution via PHP object deserialization in the settings upload handler. CVE-2025-68461 (CVSS 7.2) enables stored cross-site scripting via SVG tags, bypassing the HTML sanitizer. XSS to RCE. Two steps. The XSS steals a session, and deserialization delivers code execution on the server.

Below: both vulnerabilities, the chained exploitation path, nation-state context from Winter Vivern and APT28 campaigns, and production-ready detection queries in SPL, KQL, and Sigma.

CISA KEV catalog update (February 20, 2026) — adding CVE-2025-49113 RoundCube deserialization RCE and CVE-2025-68461 XSS based on confirmed active exploitation.

Executive Summary

• What: Two RoundCube Webmail vulnerabilities — PHP object deserialization RCE (CVE-2025-49113, CVSS 9.9) and stored XSS via SVG animate tag (CVE-2025-68461, CVSS 7.2) — confirmed actively exploited
• Who: Winter Vivern/TAG-70 and APT28/Fancy Bear have historically exploited RoundCube XSS flaws for espionage; current exploitation follows the same playbook (MEDIUM confidence)
• Impact: Full server compromise via chained exploitation — email spool access, credential theft, webshell persistence, lateral movement to database and IMAP infrastructure
• Status: Patches available since June 2025 (RCE) and December 2025 (XSS); CISA KEV added February 20, 2026; FCEB agencies mandated to remediate
• Detection: 9 production-ready detections available on Threadlinqs Intelligence covering the full kill chain

Technical Analysis

CVE-2025-49113 — PHP Object Deserialization RCE

RoundCube Webmail before 1.5.10 and 1.6.x before 1.6.11 passes the _from parameter in program/actions/settings/upload.php directly to PHP's unserialize() function without validation. An authenticated attacker crafts a malicious serialized PHP object that triggers arbitrary code execution via magic methods (__wakeup, __destruct, __toString) and existing gadget chains in the RoundCube codebase or its Composer dependencies.

The attack requires only a valid user-level session — no admin privileges. One POST request. That is the entire exploit. Tools like PHPGGC provide ready-made gadget chains for common PHP frameworks and libraries, and Kirill Firsov reported the vulnerability, with detailed technical analysis published by FearsOff Research. Our analysis found that default RoundCube installations on Debian 11 ship with enough gadget chain material for reliable exploitation — no extra dependencies needed.

Affected versions: RoundCube < 1.5.10 and 1.6.0 through 1.6.10. Debian 11 ships a vulnerable package.

CVE-2025-68461 — Stored XSS via SVG Animate Tag

RoundCube's HTML sanitizer fails to handle SVG elements embedded in email bodies. An attacker sends a crafted email containing an SVG document with tags that manipulate attributes or fire event handlers, executing JavaScript in the victim's browser session when the email is viewed. Valentin T. from CrowdStrike reported this vulnerability.

Three exploitation vectors exist: attributeName href injection via animate targets, onbegin event handler execution, and tag attribute manipulation. No authentication needed — just drop the lure into the target's inbox and wait for them to open it. The XSS fires on email view.

Affected versions: RoundCube < 1.5.12 and 1.6.0 through 1.6.11.

Chained together, these two bugs give an attacker complete server compromise. Webmail. Unpatched. Owned. The kill chain runs like this:

1. XSS Delivery (T1203) — Attacker sends a crafted email with a malicious SVG tag to the target. The victim opens the email in RoundCube webmail.
2. Session Theft (T1539) — JavaScript executes in the victim's browser, exfiltrating the roundcube_sessid cookie to an attacker-controlled endpoint via image beacon, fetch(), or XMLHttpRequest.
3. Session Hijack (T1550.004) — Attacker replays the stolen session cookie from a different IP to authenticate as the victim.
4. Deserialization RCE (T1190) — With a valid session, the attacker sends a crafted POST to settings/upload.php with a serialized PHP object in the _from parameter. The attacker owns the box at this point — code execution as www-data.
5. Webshell Persistence (T1505.003) — PHP webshell dropped in the RoundCube web root for persistent access.
6. Credential Harvest (T1552.001) — config.inc.php read for IMAP server, MySQL/PostgreSQL, SMTP relay, and LDAP credentials.
7. Email Collection (T1114.001) — Direct access to /var/mail/ or Maildir spool. Sieve rules or .forward files modified for persistent email forwarding (T1098).

Roundcube official security updates 1.6.11 and 1.5.10 — patching post-authentication RCE via PHP Object Deserialization reported by Kirill Firsov.

Threat Actor Profile

Winter Vivern (TAG-70) is a Russia-aligned threat group documented by ESET exploiting CVE-2023-5631 (RoundCube XSS) against European government and military email systems in 2023. The group targets Ukrainian and European entities for espionage, leveraging webmail vulnerabilities as low-cost, high-yield initial access vectors.

APT28 (Fancy Bear/Sofacy/Sednit) exploited CVE-2020-35730 (RoundCube XSS) in campaigns against Ukrainian government email servers in 2022-2023, documented by Recorded Future. APT28 is attributed to Russia's GRU military intelligence unit 26165.

Both groups run the same playbook: exploit RoundCube XSS to steal webmail sessions, then pivot to post-exploitation objectives. What caught our attention was the timing — CISA adding both CVEs to KEV simultaneously suggests coordinated exploitation, not independent discovery. Based on our tracking of 112 threats on the platform, this pattern — chained webmail bugs hitting government mail servers — maps directly to the Winter Vivern/APT28 operational template. Attribution confidence is MEDIUM; specific campaign attribution for the current exploitation has not been publicly disclosed.

Side note: RoundCube has appeared in CISA KEV three times in three years. If you are still running unpatched RoundCube on internet-facing infrastructure, you are popping webmail boxes for the adversary.

Detection

Threadlinqs Intelligence provides 9 production-ready detection rules for this threat, covering the full kill chain from SVG XSS email delivery through post-RCE lateral movement.

Splunk SPL

Catching deserialization attempts in Splunk — this query targets POST requests to the settings upload handler containing serialized PHP object markers in the _from parameter:

SPLindex=web sourcetype=access_combined OR sourcetype=iis
| search uri_path="settings/upload" method=POST
| regex _raw="(_from=O%3A|_from=a%3A|_from=O:|_from=a:)"
| eval attack="CVE-2025-49113 Deserialization RCE Attempt"
| stats count by src_ip, dest, uri_path, attack, _time
| where count > 0

This query targets the specific exploitation vector — URL-encoded serialized PHP markers (O: for object, a: for array) in the _from parameter of upload.php requests. Any match is a strong indicator of exploitation.

Microsoft KQL

This KQL query correlates the full chained attack — SVG XSS email delivery, session IP change, and deserialization exploit POST within a 24-hour window:

KQLlet svg_xss_emails = EmailEvents
| where Timestamp > ago(7d)
| where EmailDirection == "Inbound"
| where AttachmentTypes has "svg" or BodyPreview has_any ("animate", "<set", "attributeName")
| project EmailReceivedTime=Timestamp, RecipientEmailAddress, SenderFromAddress, NetworkMessageId;
let session_anomalies = WebServerLogs
| where Timestamp > ago(7d)
| where UrlOriginal contains "roundcube"
| summarize IPs=dcount(ClientIP), IPList=make_set(ClientIP) by SessionId, bin(Timestamp, 1h)
| where IPs > 1;
let exploit_posts = WebServerLogs
| where Timestamp > ago(7d)
| where HttpRequestMethod == "POST"
| where UrlOriginal contains "settings/upload"
| where UrlOriginal matches regex @"_from=(O%3A|a%3A)"
| project ExploitTime=Timestamp, ClientIP, UrlOriginal;
exploit_posts
| join kind=inner session_anomalies on $left.ClientIP == $right.IPList
| project ExploitTime, ClientIP, UrlOriginal, SessionId

The query identifies three correlated signals: inbound emails with SVG animation content, RoundCube sessions accessed from multiple IPs (session hijack indicator), and POST requests to the deserialization endpoint.

Sigma

We target the XSS delivery vector here — inbound emails containing SVG or tags that would trigger CVE-2025-68461:

SIGMAtitle: RoundCube SVG Animate XSS Email Delivery (CVE-2025-68461)
id: 7a3c9f12-4e8b-4d2a-b6f1-9c8e5d7a2b34
status: experimental
description: >
    Detects inbound emails containing SVG animate or set tags that bypass
    RoundCube HTML sanitizer. CVE-2025-68461 enables stored XSS for session
    theft, chaining with CVE-2025-49113 deserialization RCE. CISA KEV.
references:
    - https://intel.threadlinqs.com/#TL-2026-0130
    - https://nvd.nist.gov/vuln/detail/CVE-2025-68461
author: Threadlinqs Intelligence
date: 2026/02/22
tags:
    - attack.initial_access
    - attack.t1203
    - attack.credential_access
    - attack.t1539
    - cve.2025.68461
logsource:
    category: email
    product: email_gateway
detection:
    selection_svg_animate:
        email_body|contains:
            - '<animate'
            - '<set '
            - 'attributeName'
            - 'onbegin='
    selection_svg_context:
        email_body|contains:
            - '<svg'
            - 'image/svg'
    condition: selection_svg_animate and selection_svg_context
falsepositives:
    - Marketing emails with SVG animations
    - Design newsletters containing animated SVG content
level: high

Browse all 9 detection rules for this threat: View on Threadlinqs Intelligence

Roundcube official security updates 1.6.12 and 1.5.12 — fixing cross-site scripting via SVG animate tag and information disclosure in HTML style sanitizer.

Indicators of Compromise

Behavioral Indicators

Type	Indicator	Context
HTTP Request	POST /program/actions/settings/upload.php with _from=O: or _from=a:	CVE-2025-49113 deserialization exploit
Email Content	SVG or tags in email body	CVE-2025-68461 XSS delivery
Session Anomaly	roundcube_sessid cookie reused from different source IP	Session hijack post-XSS
File Creation	New .php files in RoundCube web root by www-data	Webshell deployment
File Access	www-data reading config.inc.php via shell (not PHP-FPM)	Credential harvest
File Access	www-data accessing /var/mail/ or Maildir/	Email spool exfiltration
Config Change	.forward or Sieve rule modification	Persistent email forwarding
Process	www-data spawning bash, sh, wget, curl	Post-RCE command execution

Network Indicators

No specific C2 IPs or domains have been published for the current active exploitation campaign. Detection should focus on the behavioral indicators above and the exploit-specific HTTP patterns.

Timeline

Date	Event
2025-06-01	RoundCube releases 1.6.11 and 1.5.10, patching CVE-2025-49113 (deserialization RCE). Reported by Kirill Firsov.
2025-06-02	CVE-2025-49113 published on NVD (CVSS 9.9). FearsOff Research publishes technical analysis. OpenWall oss-security disclosure.
2025-06-15	Debian LTS security update for Debian 11. Vicarius publishes mitigation script.
2025-12-13	RoundCube releases 1.6.12 and 1.5.12, patching CVE-2025-68461 (SVG XSS). Reported by Valentin T. from CrowdStrike.
2025-12-18	CVE-2025-68461 published on NVD (CVSS 7.2).
2026-02-20	CISA adds both CVEs to Known Exploited Vulnerabilities catalog. BOD 22-01 mandates federal remediation.
2026-02-22	Threadlinqs Intelligence publishes TL-2026-0130 with full chain analysis and detection coverage.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Context
Initial Access	Exploit Public-Facing Application	T1190	CVE-2025-49113 deserialization RCE via upload.php
Initial Access	Phishing: Spearphishing Link	T1566.002	Email containing malicious SVG to trigger XSS
Execution	Command and Scripting Interpreter: Unix Shell	T1059.004	Post-RCE shell commands as www-data
Execution	Exploitation for Client Execution	T1203	CVE-2025-68461 SVG XSS in browser
Persistence	Server Software Component: Web Shell	T1505.003	PHP webshell in RoundCube web root
Persistence	Account Manipulation	T1098	Sieve rule / .forward modification
Credential Access	Steal Web Session Cookie	T1539	roundcube_sessid exfiltration via XSS
Credential Access	Input Capture: Web Portal Capture	T1056.003	Fake login overlay injected via XSS
Credential Access	Unsecured Credentials: Credentials In Files	T1552.001	config.inc.php IMAP/DB/SMTP credentials
Lateral Movement	Use Alternate Auth Material: Web Session Cookie	T1550.004	Stolen session cookie replayed from different IP
Collection	Email Collection: Local Email Collection	T1114.001	Mail spool access post-RCE
Collection	Email Collection: Remote Email Collection	T1114.002	Forwarding rules for persistent collection
Command and Control	Application Layer Protocol: Web Protocols	T1071.001	Webshell HTTP C2
Exfiltration	Exfiltration Over C2 Channel	T1041	Email data exfiltrated via webshell
Defense Evasion	Indicator Removal: File Deletion	T1070.004	Log tampering post-compromise

Full MITRE ATT&CK mapping with 26 techniques: View coverage on Threadlinqs

TL-2026-0130 on Threadlinqs Intelligence — RoundCube Webmail active exploitation (CVE-2025-49113 CVSS 9.9 + CVE-2025-68461 XSS) by Winter Vivern/TAG-70 and APT28.

Recommendations

1. Patch immediately — Update to RoundCube 1.6.12 or 1.5.12 to close both CVEs. Patch first. Hunt second. If running 1.5.x, update to 1.5.12 which covers both fixes.
2. Restrict access — If patching cannot happen within 24 hours, restrict RoundCube to VPN-only or IP-allowlisted access. Block external access to settings/upload.php at the WAF.
3. Hunt for compromise — Review web server logs for POST requests to settings/upload.php with serialized PHP markers (O: or a: prefix in _from parameter). Check for new PHP files in the web root. Audit config.inc.php access patterns.
4. Deploy detections — Implement email gateway rules for SVG content in inbound email. Monitor RoundCube sessions for IP changes within a single session.
5. Harden long-term — Deploy Content-Security-Policy headers to mitigate XSS impact. Implement MFA for webmail access. Segment webmail servers from internal infrastructure.

References

• CISA Adds Two Known Exploited Vulnerabilities to Catalog — CISA, February 20, 2026
• NVD — CVE-2025-49113 — NVD, CVSS 9.9
• NVD — CVE-2025-68461 — NVD, CVSS 7.2
• RoundCube Security Updates 1.6.11 and 1.5.10 — RoundCube, June 1, 2025
• RoundCube Security Updates 1.6.12 and 1.5.12 — RoundCube, December 13, 2025
• FearsOff Research — RoundCube Post-Auth RCE — FearsOff, June 2, 2025
• GitHub Patch Commit — CVE-2025-49113 — RoundCube GitHub
• GitHub Patch Commit — CVE-2025-68461 — RoundCube GitHub
• MITRE ATT&CK T1190 — Exploit Public-Facing Application — MITRE
• MITRE ATT&CK T1505.003 — Web Shell — MITRE
• BOD 22-01: Reducing Significant Risk of Known Exploited Vulnerabilities — CISA

---

Full threat intelligence, detection rules, and IOC feeds are available on Threadlinqs Intelligence. Track this threat: TL-2026-0130.