Full Report
Over 84,000 instances of the Roundcube webmail software are vulnerable to CVE-2025-49113, a critical remote code execution (RCE) vulnerability with a publicly available exploit. [...]
Analysis Summary
# Vulnerability: Actively Exploited Flaw in Roundcube Webmail
## CVE Details
- CVE ID: CVE-2025-49113
- CVSS Score: Information not explicitly provided, but implied High due to active exploitation.
- CWE: Information not explicitly provided.
## Affected Systems
- Products: Roundcube Webmail
- Versions: Versions prior to 1.6.11 and 1.5.10.
- Configurations: Widely deployed across shared hosting (GoDaddy, Hostinger, OVH) and government, education, and tech sectors. Over 84,000 instances reported vulnerable globally by Shadowserver monitoring.
## Vulnerability Description
The article describes a critical vulnerability CVE-2025-49113 affecting Roundcube instances, leading to massive potential exposure. The specific technical nature of the flaw (e.g., deserialization, injection) is not detailed, but its impact suggests a serious risk, potentially leading to data theft.
## Exploitation
- Status: **Actively exploited** (or strongly advised to treat as such due to high risk and exposure).
- Complexity: Implied to be low enough to result in over 84,000 instances being exposed/potentially targeted.
- Attack Vector: Not explicitly stated, but typically, web application vulnerabilities accessible via the web interface (Network).
## Impact
- Confidentiality: High potential for data theft.
- Integrity: Not explicitly detailed.
- Availability: Not explicitly detailed, but severe compromises can impact availability.
## Remediation
### Patches
- Upgrade to **Roundcube version 1.6.11**.
- Upgrade to **Roundcube version 1.5.10**.
### Workarounds
If immediate upgrading is not possible:
1. Restrict access to the webmail interface.
2. Turn off file upload functionality.
3. Implement or ensure CSRF protection is active.
4. Block risky PHP functions on the server level.
## Detection
- **Indicators of Compromise (IOCs):** Monitoring for unusual activity related to Roundcube processes or unexpected file uploads/modifications is recommended.
- **Detection Methods and Tools:** The Shadowserver Foundation is actively scanning for vulnerable instances (though this is reactive external scanning, not internal detection). Internal monitoring of web server logs for suspicious requests targeting the application pathways is advised.
## References
- Vendor Advisories: Patch information is tied to Roundcube releases 1.6.11 and 1.5.10.
- Relevant links:
- Shadowserver Foundation statistics report (defanged): hxxps://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-49113%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on