CVE-2025-49113: Critical Roundcube Vulnerability Enables RCE Exploitation

Introduction to Malware Binary Triage (IMBT) Course

Looking to level up your skills? Get 10% off using coupon code: MWNEWS10 for any flavor.

Enroll Now and Save 10%: Coupon Code MWNEWS10

Note: Affiliate link – your enrollment helps support this platform at no extra cost to you.

A recent vulnerability in Roundcube webmail software has drawn significant attention from the cybersecurity community. Hidden over a decade, this flaw enables Remote Code Execution (RCE), potentially allowing attackers to seize control of affected systems.

Here’s what you need to know about CVE-2025-49113, the scope of its impact, and the urgent steps to protect your systems.

What is CVE-2025-49113?

CVE-2025-49113 (CVSS 9.9) is a critical Remote Code Execution (RCE) vulnerability impacting Roundcube webmail servers. It enables attackers to execute arbitrary commands on targeted systems after successfully authenticating.

This flaw arises from improper input validation in Roundcube’s handling of the _from GET parameter in the upload.php script. Specifically, when a session variable begins with an exclamation mark (!), it can become corrupted. Unsanitized input via the _from parameter allows attackers to inject malicious PHP objects during this session corruption, leading to RCE.

While the vulnerability requires authentication with a valid username and password combo, attackers could obtain credentials through methods like CSRF. Furthermore, it is reported that exploitation is not detectable by WAF.

A Decade-Old Bug Affecting Widespread Versions

The vulnerability affects all Roundcube versions before 1.5.10, and 1.6.x up to 1.6.10, including default deployments in popular hosting environments such as cPanel, Plesk, and ISPConfig. It was exploitable for over ten years until the patch was released on June 1, 2025, with security updates1.6.11 and 1.5.10 LTS closing the security hole.

Given Roundcube’s popularity, the scale of exposure is significant. Roundcube is widely deployed by shared hosting providers like Hostinger, GoDaddy, Dreamhost, OVH, and Gandi.

It is estimated that over 53 million hosts are exposed, highlighting the severity of the threat and escalating the urgency to apply these patches. FearsOff founder and CEO Kirill Firsov, who originally discovered the flaw, described the situation as an “email armageddon”.

CVE-2025-49113 Exploit for Sale on Dark Web Forums

Firsov also highlighted on X that an exploit for CVE-2025-49113 is actively being sold in underground forums, making it clear that the exploit is now widely known and circulating among threat actors.

Additionally, PT Swarm confirmed they successfully reproduced the flaw, further reinforcing the fact that it is fully exploitable and emphasizing the urgency of applying immediate updates and staying vigilant.

Vulnerabilities in Roundcube have repeatedly attracted attention from threat actors. For example, last year’s CVE-2024-37383 was exploited in phishing attacks against government agencies, underscoring the ongoing risks targeting this software.

To track such vulnerabilities and exploit activity faster, SOCRadar’s Vulnerability Intelligence, under the Cyber Threat Intelligence module, offers real-time alerts, exploitability assessments, and enriched context – helping you stay ahead of threat actor campaigns and mitigate risks before they escalate.

Who is at Risk?

The Shadowserver Foundation reported that as of June 8, 2025, there were around 84,000 vulnerable Roundcube instances accessible online. Country-wise, the largest number of exposed instances are found in the United States, India, and Germany.

Technical Details and Proof-of-Concept Code Released

To aid defenders, FearsOff has released comprehensive technical details on their blog and a Proof-of-Concept (PoC) exploit on GitHub.

Originally intended for publication after a responsible disclosure window, these details were released early due to the rapid weaponization of the exploit within 48 hours of patch availability. FearsOff emphasized that this full disclosure aims to help defenders respond effectively before exploitation escalates further and ensure transparency and accuracy in understanding the issue.

How to Mitigate CVE-2025-49113

The Roundcube CVE-2025-49113 vulnerability highlights the persistent risks of overlooked input sanitization and session handling flaws. System administrators are strongly urged to patch immediately and monitor their environments for potential exploitation attempts.

Here are key steps to safeguard your systems:

• Upgrade Roundcube to version 1.6.11 or 1.5.10 LTS to patch the flaw.
• If upgrading is not possible:
  
  • Restrict access to the webmail interface to trusted IP ranges.
  • Disable file uploads in Roundcube settings.
  • Implement CSRF protection and tighten session management.
  • Block risky PHP functions that can aid exploitation.
  • Monitor logs for suspicious activity tied to the _from parameter.
• Monitor for Indicators of Compromise (IoCs):
  
  • Watch for unexpected file uploads and session manipulations.
  • Look for suspicious PHP object deserialization patterns.

See What Attackers See with SOCRadar’s Attack Surface Management (ASM)

Your organization’s digital footprint is bigger than you think. SOCRadar’s Attack Surface Management module continuously scans your entire environment, helping you discover and secure the assets that threat actors might exploit.

• Identify internet-facing assets, vulnerable services like outdated instances, and misconfigured ports
• Detect third-party risks and shadow IT that attackers could use as entry points
• Get alerts on domain impersonation or suspicious assets mimicking your infrastructure
• Visualize your entire attack surface to understand where you’re most exposed

With ASM, you gain full visibility into your exposure, so you can close the gaps before attackers even find them.

Article Link: https://socradar.io/cve-2025-49113-roundcube-vulnerability-rce/