RoundCube Email Zero-Days: Why Webmail Is Suddenly High-Risk

RoundCube Email Zero-Days: Why Webmail Is Suddenly High-Risk I watched two CVEs drop for RoundCube on the same Tuesday morning and knew immediately that something had shifted. CISA added both to their Known Exploited Vulnerabilities catalog within 48 hours. That doesn't happen for low-impact bugs. This was February 2025, and security teams everywhere suddenly had to care about their webmail infrastructure in a way they hadn't before. Email clients aren't usually where the cool kids hunt for zero-days. But attackers had figured something out—something that should make every security team with self-hosted mail pause and reassess. What Actually Happened: The Dual CVE Drop The timing here matters. Two CVEs dropping simultaneously—CVE-2025-49113 and CVE-2025-68461—suggests coordinated disclosure, possibly under active exploitation. Both affect RoundCube versions before 1.6.10 and 1.5.9. CVE-2025-49113 is an arbitrary PHP deserialization flaw in the unserialize() call within rcube_cache.php