← Back to Threat Briefs

Cyber Threat Brief — February 21, 2026

⚠️ This report is AI-generated. Always validate findings.

Cyber Threat Brief for Detection Engineers

Date: February 21, 2026
Coverage Window: February 20-21, 2026

1. CISA Adds Two Actively Exploited Roundcube Webmail Vulnerabilities to KEV Catalog

What’s New

CISA added two Roundcube webmail vulnerabilities to its Known Exploited Vulnerabilities catalog on February 20, 2026, citing evidence of active exploitation in the wild. The critical deserialization RCE (CVE-2025-49113) was weaponized within 48 hours of disclosure and has been lurking in the codebase for over 10 years.

Technical Details

FieldValue
CVE-2025-49113Deserialization of untrusted data → RCE
CVSS (49113)9.9 (Critical)
CVE-2025-68461Cross-site scripting via SVG animate tag
CVSS (68461)7.2 (High)
AffectedRoundcube < 1.5.12 and < 1.6.12
Exploit StatusPublic exploits available (49113 sold on dark web June 2025)
AuthenticationCVE-2025-49113 requires authentication; CVE-2025-68461 does not
Known AttackersAPT28 (Russia), Winter Vivern (Russia/Belarus) have targeted Roundcube historically

CVE-2025-49113 Details:

  • Location: program/actions/settings/upload.php
  • Root Cause: _from parameter in URL not validated, allowing deserialization of attacker-controlled data
  • Impact: Post-authentication remote code execution on webmail servers
  • Timeline: Hidden in codebase for 10+ years, fixed June 2025, exploit sold June 4 2025, weaponized within 48 hours
  • Exploitation: Works reliably on default installations

CVE-2025-68461 Details:

  • Vector: SVG document with malicious animate tag
  • Impact: XSS leading to session hijacking, credential theft, email access
  • Timeline: Fixed December 2025, now actively exploited

TTPs

TacticTechniqueObservable
Initial AccessT1190 - Exploit Public-Facing ApplicationPOST requests to /program/actions/settings/upload.php with serialized payloads
ExecutionT1059 - Command and Scripting InterpreterPHP code execution via deserialization
Credential AccessT1056.003 - Web Portal CaptureXSS-based session token theft via malicious SVG
PersistenceT1505.003 - Web ShellWebshell upload post-RCE (CVE-2025-49113)
CollectionT1114 - Email CollectionAccess to all webmail data post-compromise

Detection Opportunities

For CVE-2025-49113 (Deserialization RCE):

Web Server Logs:

POST /program/actions/settings/upload.php
POST /?_task=settings&_action=upload

Look for:

  • Unusual _from parameter values containing serialized PHP objects
  • Base64-encoded payloads in upload requests
  • Requests from unauthenticated IPs followed by successful authentication
  • POST requests to settings endpoints outside normal business hours

PHP Error Logs:

  • Unserialize errors or warnings
  • Attempts to instantiate unexpected classes
  • File write operations in /temp/ or /logs/ directories

Network Indicators:

  • Outbound connections from webmail server to unexpected IPs (C2 callbacks)
  • Large data transfers from webmail server (exfiltration)

For CVE-2025-68461 (SVG XSS):

Email Logs:

  • Emails with SVG attachments containing <animate> tags
  • Emails with embedded SVG in HTML body
  • JavaScript execution attempts from webmail interface

WAF/Proxy Logs:

  • SVG documents with script execution patterns
  • XSS payloads in email rendering context
  • Session token theft patterns (cookies sent to external domains)

Post-Exploitation Indicators:

  • New admin accounts created in Roundcube
  • PHP files written to webroot (/var/www/roundcube/, /usr/share/roundcube/)
  • Configuration file modifications (config/config.inc.php)
  • Suspicious cron jobs or scheduled tasks

Log Sources

Required:

  • Apache/Nginx access logs (webmail server)
  • Apache/Nginx error logs
  • PHP error logs
  • Application logs (/var/log/roundcube/, logs/errors.log)
  • Email server logs (SMTP, IMAP)

Recommended:

  • WAF logs (if deployed in front of webmail)
  • NetFlow/network connection logs
  • EDR telemetry from webmail server
  • File integrity monitoring (FIM) on webmail directories

Detection Coverage

SourceStatus
Sigma❌ Gap - No Roundcube-specific detections found
Splunk ESCU❌ Gap - No Roundcube detections found
Elastic❌ Gap - No Roundcube detections found
KQL❌ Gap - No Roundcube detections found

Detection Gap Assessment: No existing detection rules found in major repositories for Roundcube exploitation. Organizations should:

  1. Create custom rules based on detection opportunities above
  2. Monitor for Roundcube-specific HTTP endpoints
  3. Baseline normal webmail authentication patterns
  4. Alert on deserialization errors in PHP logs

Recommended Hunting Query (Generic Web Shell Detection):

-- Hunt for new PHP files in webmail directories
index=linux sourcetype=linux:audit
| search (path="/var/www/roundcube/*" OR path="/usr/share/roundcube/*")
  type=CREATE OR type=WRITE
  file_extension=".php"
| where file NOT IN (known_good_files)
| table _time, user, path, file, command

Response Recommendations

Immediate Actions:

  1. Patch immediately - Upgrade to Roundcube 1.5.12+ or 1.6.12+
  2. Hunt for compromise:
    • Search web logs for exploitation patterns above
    • Check for unexpected PHP files in webroot
    • Review admin account creation logs
    • Look for unauthorized configuration changes
  3. Isolate if compromised - Take servers offline, preserve logs, engage IR

Hardening Measures:

  • Disable file uploads in settings if not required
  • Implement WAF rules to block serialized payloads
  • Restrict webmail access to VPN/trusted networks where possible
  • Enable 2FA for all webmail accounts
  • Monitor for SVG uploads and sanitize/block them

FCEB Deadline: Federal agencies must remediate by March 13, 2026 per CISA BOD 22-01

Historical Context

Roundcube has been a consistent target for nation-state actors:

  • APT28 (Fancy Bear) - Russian GRU, historically targeted webmail for credential theft
  • Winter Vivern (Russia/Belarus) - Exploited prior Roundcube XSS flaws for espionage

The 10-year age of CVE-2025-49113 suggests potential for widespread compromise before patch availability.

Sources

Summary

Threats in last 24 hours: 1 (Roundcube webmail vulnerabilities added to CISA KEV)

Key Takeaway: Organizations running Roundcube webmail face critical risk from actively exploited vulnerabilities, including a 10-year-old deserialization RCE weaponized within 48 hours of disclosure. Immediate patching and threat hunting are essential.

Detection Gap: No existing detection rules found for Roundcube exploitation in major repositories. Custom rules required.

Next Steps:

  1. Identify all Roundcube instances in your environment
  2. Patch to 1.5.12+ or 1.6.12+ immediately
  3. Hunt for indicators of compromise using detection opportunities above
  4. Create custom detection rules for Roundcube-specific exploitation patterns

Monitoring continues for emerging threats.

Generated: 2026-02-21 05:00 PST