Full Report
Cybersecurity researchers have disclosed details of a critical security flaw in the Roundcube webmail software that has gone unnoticed for a decade and could be exploited to take over susceptible systems and execute arbitrary code. The vulnerability, tracked as CVE-2025-49113, carries a CVSS score of 9.9 out of 10.0. It has been described as a case of post-authenticated remote code execution via
Analysis Summary
# Vulnerability: Critical Roundcube Webmail RCE via Deserialization
## CVE Details
- CVE ID: CVE-2025-49113
- CVSS Score: 9.9 (Critical)
- CWE: PHP Object Deserialization (Implied)
## Affected Systems
- Products: Roundcube Webmail
- Versions: All versions before 1.5.10 and all 1.6.x versions before 1.6.11 (includes versions up to and including 1.6.10)
- Configurations: Requires prior authentication.
## Vulnerability Description
The vulnerability is a post-authenticated Remote Code Execution (RCE) flaw stemming from PHP Object Deserialization. It occurs because the `_from` parameter passed in a URL within the file `program/actions/settings/upload.php` is not properly validated, allowing an authenticated attacker to inject malicious serialized objects that are subsequently deserialized, leading to arbitrary code execution on the server.
## Exploitation
- Status: PoC available (Vendor stated PoC would be made public "soon" after patch release)
- Complexity: Not explicitly stated, but RCE vulnerabilities are usually high impact regardless of complexity.
- Attack Vector: Network (Requires prior authentication)
## Impact
- Confidentiality: High (Can lead to the compromise of all data handled by the server)
- Integrity: High (Attacker can modify system files and application settings)
- Availability: High (Attacker can disrupt service or take over the system)
## Remediation
### Patches
- Roundcube 1.5.10 LTS
- Roundcube 1.6.11
### Workarounds
- No specific workarounds were mentioned in the provided context, but standard mitigation involves strict ingress filtering on the affected server component until patching is complete.
## Detection
- Investigators should look for unusual activity associated with the `program/actions/settings/upload.php` endpoint, particularly requests containing serialized PHP data structures within URL parameters.
- Monitor web server/application logs for application errors indicative of deserialization failure or unexpected PHP execution traces occurring post-authentication.
## References
- Vendor Advisory (Fix release announcement): hxxps://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
- Researcher Advisory: hxxps://fearsoff.org/research/roundcube
- NVD Entry: hxxps://nvd.nist.gov/vuln/detail/CVE-2025-49113