204/68 Friday, June 6, 2025
Cybersecurity researchers have disclosed a critical vulnerability tracked as CVE-2025-49113 (CVSS score: 9.9) in Roundcube Webmail, a widely used open-source webmail platform that has been in operation for over 10 years. The flaw allows authenticated attackers to execute arbitrary code remotely (Remote Code Execution) and potentially take full control of the system. The vulnerability, discovered by Kirill Firsov from security firm FearsOff, has been patched in Roundcube versions 1.5.10 (LTS) and 1.6.11.
According to the NIST advisory, the flaw stems from insufficient validation of the _from parameter passed via URL to upload.php, which leads to a PHP Object Deserialization vulnerability. This allows an attacker to execute arbitrary commands without restriction. Firsov estimates the vulnerability affects more than 53 million hosts, including those running popular hosting control panels such as cPanel, Plesk, ISPConfig, and DirectAdmin. He also announced that technical details and a proof-of-concept (PoC) exploit will be released soon.
Researchers at Positive Technologies have confirmed the vulnerability is exploitable and strongly advise users to immediately update Roundcube to the latest version. Roundcube has previously been a target of APT groups like APT28 and Winter Vivern, who used the platform to steal login credentials and spy on email communications.
