Back to KEVs

CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is...

Basic Information

CVE State: PUBLISHED
Reserved Date: June 02, 2025
Published Date: June 02, 2025
Last Updated: June 12, 2025
Vendor: Roundcube
Product: Webmail
Description: Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Tags

CVSS Scores

CVSS v3.1

9.9 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

Score: 30.94% (Percentile: 96.48%) as of 2025-06-13

SSVC Information

Exploitation: poc
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (2025-06-05 17:00:48 UTC) Source

References

https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 https://github.com/roundcube/roundcubemail/pull/9865 https://github.com/roundcube/roundcubemail/releases/tag/1.6.11 https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d https://github.com/roundcube/roundcubemail/releases/tag/1.5.10 https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695 https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e https://fearsoff.org/research/roundcube https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detection https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-script

Known Exploited Vulnerability Information

Source	Added Date
BleepingComputer	2025-06-05 17:00:41 UTC

Recent Mentions

CVE-2025-49113: Proof of Concept Demonstrating Remote Code Execution Through Insecure Deserialization in Roundcube

Source: DarkWebInformer • Published: 2025-06-09 20:20:55 UTC

CVE-2025-49113: Proof of Concept Demonstrating Remote Code Execution Through Insecure Deserialization in Roundcube

Over 84,000 Roundcube instances vulnerable to actively exploited flaw

Source: BleepingComputer • Published: 2025-06-09 20:14:16 UTC

Over 84,000 instances of the Roundcube webmail software are vulnerable to CVE-2025-49113, a critical remote code execution (RCE) vulnerability with a publicly available exploit. [...]

Hacker selling critical Roundcube webmail exploit as tech info disclosed

Source: BleepingComputer • Published: 2025-06-05 16:55:54 UTC

Hackers are actively exploiting CVE-2025-49113, a critical vulnerability in the widely used Roundcube open-source webmail application that allows remote execution. [...]

Critical 10-Year-Old Roundcube Webmail Bug Allows Authenticated Users Run Malicious Code

Source: TheHackerNews • Published: 2025-06-03 13:01:00 UTC

Cybersecurity researchers have disclosed details of a critical security flaw in the Roundcube webmail software that has gone unnoticed for a decade and could be exploited to take over susceptible systems and execute arbitrary code. The vulnerability, tracked as CVE-2025-49113, carries a CVSS score of 9.9 out of 10.0. It has been described as a case of post-authenticated remote code execution via

[roundcube/roundcubemail] Roundcube Webmail Vulnerable to Authenticated RCE via PHP Object Deserialization

Source: Github Advisory Database (Composer) • Published: 2025-06-02 06:30:32 UTC

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. References https://nvd.nist.gov/vuln/detail/CVE-2025-49113 https://github.com/roundcube/roundcubemail/pull/9865 https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695 https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e https://github.com/roundcube/roundcubemail/releases/tag/1.5.10 https://github.com/roundcube/roundcubemail/releases/tag/1.6.11 https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 https://fearsoff.org/research/roundcube http://www.openwall.com/lists/oss-security/2025/06/02/3 https://github.com/advisories/GHSA-8j8w-wwqc-x596

Scanner Integrations

Scanner	URL	Date Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-49113.yaml	2025-06-05 23:30:24 UTC

Timeline

CVE ID Reserved

June 02, 2025
CVE Published to Public

June 02, 2025
Added to KEVIntel

June 05, 2025
Detected by Nuclei

June 05, 2025