This Webmail Bug Sat Unnoticed for a Decade—Now Hackers Are Using It to Read Your Email

Two Flaws, One Decade

On February 20, 2026, the Cybersecurity and Infrastructure Security Agency added two critical Roundcube Webmail vulnerabilities to its Known Exploited Vulnerabilities catalog, confirming that threat actors are actively using them to compromise email servers in the wild.

The more severe flaw, CVE-2025-49113, carries a CVSS score of 9.9 out of 10. It is a deserialization vulnerability that allows authenticated users to execute arbitrary code on the server. Discovered by Kirill Firsov, the founder and CEO of security firm FearsOff, this bug had been sitting unnoticed in Roundcube's codebase for over a decade.

The second vulnerability, CVE-2025-68461 with a CVSS score of 7.2, is a cross site scripting flaw triggered through SVG documents containing animate tags. Remote, unauthenticated attackers can exploit it through low complexity attacks.

53 Million Installations at Risk

Roundcube is one of the most widely deployed open source webmail platforms in the world. It is bundled with cPanel, Plesk, ISPConfig, DirectAdmin, and dozens of other hosting control panels. Security researchers estimate that over 53 million installations are affected by the remote code execution vulnerability alone.

That number is significant because Roundcube is not a niche product. It powers the webmail interface for hosting providers, universities, government agencies, small businesses, and organizations that cannot or do not want to rely on Gmail or Outlook. Many of these installations are managed by small teams without dedicated security staff.

A Favorite Target for State Hackers

Roundcube has been repeatedly targeted by advanced persistent threat groups. Russia's APT28, also known as Fancy Bear, has exploited Roundcube vulnerabilities to steal login credentials and monitor email communications. The Belarusian aligned group Winter Vivern has leveraged zero day flaws in Roundcube for similar objectives, targeting government officials and military personnel.

The pattern is consistent: state sponsored attackers compromise Roundcube installations to gain persistent access to email accounts. Once inside, they can read messages, monitor communications, and harvest credentials without the victim ever knowing.

Email Tracking Bypass

Beyond the critical vulnerabilities, Roundcube also patched a separate privacy bypass flaw that allowed attackers to load remote images and track email opens, even when users had explicitly configured their settings to block remote images.

This is the same mechanism that spy pixels use: a tiny invisible image embedded in an email that phones home when loaded, revealing that the recipient opened the message, when they opened it, what device they used, and their approximate location. Roundcube's image blocking feature was supposed to prevent this, but the vulnerability rendered that protection useless.

For anyone using Roundcube and relying on its image blocking to protect their privacy, those settings were not actually working as advertised.

The CISA Deadline

Under Binding Operational Directive 22-01, federal agencies must remediate both vulnerabilities by March 10, 2026. While the directive only applies to federal civilian agencies, CISA strongly recommends that all organizations using Roundcube apply patches immediately.

The fixes are available: Roundcube versions 1.5.10 LTS and 1.6.11 address the remote code execution flaw, while versions 1.5.12 and 1.6.12 fix the XSS vulnerability. But applying patches requires administrators to act, and many Roundcube installations are managed through hosting control panels where updates may lag behind.

What You Should Do

If your organization runs Roundcube, update to the latest version immediately. If you use a hosting provider that bundles Roundcube, contact them to confirm they have applied the patches. If you are a Roundcube user who relies on image blocking for privacy, verify that your installation has been updated to a version where that feature actually works.

The combination of a decade old remote code execution bug, active exploitation by state sponsored hackers, and a broken privacy feature that let tracking pixels bypass user settings makes this one of the most serious webmail security events in recent memory. Over 53 million installations are exposed, and the clock is ticking.