Severity: Critical (CVSS 9.9)
Status: Active Exploitation Confirmed
On June 1, 2025, Roundcube developers issued critical security updates to patch a newly discovered vulnerability in their widely-used open-source webmail platform. Tracked as CVE-2025-49113, the flaw affects all Roundcube versions prior to 1.5.10 and 1.6.11.
Within days of the patch release, proof-of-concept code and full exploit kits were circulating on underground forums, and real-world exploitation has now been confirmed.
Technical Details
CVE-2025-49113 allows authenticated attackers to execute arbitrary code on vulnerable servers via PHP object deserialization. The root cause lies in the improper validation of the _from parameter used in the upload.php module, combined with a flaw in how Roundcube handles session variables starting with special characters.
The vulnerability has existed in the codebase for over 10 years, impacting a massive global install base.
While authentication is technically required to trigger the exploit, attackers have multiple methods to obtain credentials, including log scraping, brute force attacks, and CSRF exploitation. Once access is gained, the vulnerability offers full remote code execution capabilities, allowing attackers to take control of the underlying server.
Threat Landscape
Roundcube powers webmail services for major hosting providers like GoDaddy, Hostinger, Dreamhost, and OVH, as well as countless government, academic, and private sector organizations.
According to internet-wide scans, more than 1.2 million Roundcube instances are exposed online, making this a highly attractive target for both financially motivated and state-sponsored attackers.
At least one vulnerability broker valued this exploit at up to $50,000, signaling high criminal interest. Public exploit code is now available on GitHub, increasing the likelihood of widespread exploitation.
This is not the first time Roundcube has been targeted. APT groups such as APT28 (Fancy Bear) and Winter Vivern have previously exploited older Roundcube vulnerabilities for credential theft and espionage. The simplicity of the attack chain combined with the global footprint of Roundcube makes CVE-2025-49113 an immediate concern for organizations running unpatched versions.
Exploitation Activity
Active exploitation was observed just days after disclosure. Threat actors have already reverse engineered the patch, developed working exploits, and advertised them for sale in dark web markets.
Researchers have independently reproduced the exploit and confirmed its real-world viability. The speed of exploitation underscores both the critical nature of the vulnerability and the strong financial incentive for attackers.
Mitigation & Recommendations
- Apply Security Patches Immediately:
Upgrade all Roundcube installations to version 1.5.10 (LTS) or 1.6.11 to fully address CVE-2025-49113.
- Harden Authentication:
Enforce strong password policies, implement multi-factor authentication (MFA), and enable account lockouts or rate limiting to reduce brute force risk.
- Monitor for Suspicious Activity:
Audit webmail server logs for signs of file upload abuse, unusual session variables, or unauthorized command execution.
- Deploy Web Application Firewall (WAF) Protections:
Apply WAF rules to detect and block malicious requests targeting vulnerable Roundcube endpoints, especially those manipulating the _from parameter.
- Network Segmentation:
Limit direct internet exposure of webmail servers where possible. Isolate Roundcube instances from sensitive internal systems.
OP Innovate’s Incident Response and Continuous Threat Exposure services can help organizations monitor for signs of exploitation, investigate anomalies, and validate security posture against active threats like CVE-2025-49113.
