Roundcube Webmail under fire: critical exploit found after a decade
A critical flaw in Roundcube webmail, undetected for 10 years, allows attackers to take over systems and execute arbitrary code. A critical flaw, tracked as CVE-2025-49113 (CVSS score of 9.9) has been discovered in the Roundcube webmail software. The vulnerability went unnoticed for over a decade, an attacker can exploit the flaw to take control […]
A critical flaw in Roundcube webmail, undetected for 10 years, allows attackers to take over systems and execute arbitrary code.
A critical flaw, tracked as CVE-2025-49113 (CVSS score of 9.9) has been discovered in the Roundcube webmail software. The vulnerability went unnoticed for over a decade, an attacker can exploit the flaw to take control of affected systems and run malicious code, putting users and organizations at significant risk. Kirill Firsov, founder and CEO of FearsOff, discovered the vulnerability.
“Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.” reads the advisory published by NIST.
The vulnerability has been addressed in 1.6.11 and 1.5.10 LTS.
Firsov estimates that the flaw impacts over 53 million hosts (and tools like cPanel, Plesk, ISPConfig, DirectAdmin, etc.), he said that details and PoC will be published soon.
We’ve reproduced CVE-2025-49113 in Roundcube.
This vulnerability allows authenticated users to execute arbitrary commands via PHP object deserialization.
If you're running Roundcube — update immediately! pic.twitter.com/iv3L56TRUB— PT SWARM (@ptswarm) June 3, 2025
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CVE-2025-49113)
