More than 80,000 Roundcube webmail servers are affected by a critical-severity remote code execution (RCE) vulnerability that has already been exploited in attacks.
Tracked as CVE-2025-49113 (CVSS score of 9.9), the flaw is described as a post-authentication RCE via PHP Object Deserialization and impacts all Roundcube versions released over the past decade (1.1.0 through 1.6.10).
According to security researcher Kirill Firsov, who reported the security defect, the root cause is a flawed logic incorrectly evaluating variable names that begin with an exclamation mark (!), which leads to session corruption and PHP Object Injection.
The lack of sanitization of a specific parameter allows an attacker to include a payload in the name of files to be uploaded, resulting in data being injected in the current session, Firsov says.
The vulnerability has remained hidden in Roundcube’s code for more than 10 years, it can be reproduced on default installations, requires no dependencies, and its exploitation is not detected by firewalls, the researcher notes.
“This vulnerability affects Roundcube versions 1.1.0 through 1.6.10, including default installs in cPanel, Plesk, ISPConfig, and others,” he says.
Firsov also warned that threat actors devised exploit code for the bug within days after patches were included in Roundcube versions 1.6.11 and 1.5.10, which were released on June 1.
“The exploit for CVE-2025-49113 is already available for sale on the dark web. I feel sorry for anyone who hasn’t upgraded to the newest version yet,” the researcher warned on June 4.
Over the weekend, The Shadowserver Foundation warned that roughly 84,000 unpatched Roundcube instances were visible on the internet. As of June 9, their data shows more than 85,000 vulnerable servers.
Successful exploitation of the security defect requires a valid username and password, but the threat actor selling the exploit claims that credentials can be brute-forced or extracted from logs.
In fact, CERT Poland on Friday warned that threat actors are exploiting a Roundcube XSS flaw in a spear-phishing campaign aimed at credential theft. CERT Poland attributed the activity to the Belarusian hacking group UNC1151.
Tracked as CVE-2024-42009, the flaw leads to JavaScript code execution when opening an email. The US cybersecurity agency CISA added the security defect to its Known Exploited Vulnerabilities (KEV) catalog on Wednesday, urging federal agencies to patch it by June 30.
Related: Roundcube Webmail Vulnerability Exploited in Government Attack
Related: CISA Warns of Exploited GeoServer, Linux Kernel, and Roundcube Vulnerabilities
Related: Russian Cyberspies Exploit Roundcube Flaws Against European Governments
