The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog with three security issues (two critical Roundcube Webmail flaws and a BeyondTrust vulnerability), confirming exploitation in real-world attacks.
The first Roundcube Webmail vulnerability, tracked as CVE-2025-49113, is a high-severity deserialization of untrusted data issue that can lead to remote code execution (RCE). It was reported as actively exploited just days after patches were released in June 2025. At the time, internet security watchdog Shadowserver Foundation warned that more than 84,000 exposed Roundcube installations were vulnerable to attacks.
The second flaw, CVE-2025-68461, was patched in December 2025. Roundcube developers said remote, unauthenticated attackers could exploit the issue through low-complexity cross-site scripting (XSS) attacks abusing the animate tag in SVG documents. The security team released versions 1.6.12 and 1.5.12 to address the vulnerability.
Roundcube has long been a target for cybercriminal and state-sponsored groups. A previous stored XSS flaw (CVE-2023-5631) was exploited in zero-day attacks by the Russian-linked Winter Vivern (TA473) group and by APT28 to compromise European and Ukrainian government email systems.
Separately, CISA has also warned of active exploitation of CVE-2026-1731, an OS command injection vulnerability affecting BeyondTrust Remote Support.
BeyondTrust disclosed the flaw on February 6, describing it as exploitable via specially crafted client requests sent to vulnerable endpoints. Proof-of-concept exploits quickly became available, and the company later confirmed that in-the-wild exploitation began on January 31. CISA has flagged the vulnerability as actively exploited in ransomware attacks.
According to a report from Palo Alto Networks Unit 42, attackers have abused the vulnerability for network reconnaissance, web shell deployment, command-and-control (C&C) activity, backdoor installation, lateral movement, and data theft. The campaign has targeted organizations across financial services, legal services, high technology, higher education, wholesale and retail, and healthcare sectors in the United States, France, Germany, Australia, and Canada.