Firs0V

**Name of the Vulnerable Software and Affected Versions** Roundcube Webmail versions prior to 1.5.10 Roundcube Webmail versions 1.6.x prior to 1.6.11 **Description** Authenticated users can achieve remote code execution due to improper validation of the ` from` parameter in the 'program/actions/settings/upload.php' endpoint. This flaw leads to PHP Object Deserialization, a process where untrusted data is used to abuse the logic of an application to execute arbitrary code. It is estimated that over 85,000 servers have been targeted by attacks. Real-world exploitation has been linked to nation-state groups such as APT28 and Winter Vivern, as well as the CapFix group, which targeted industrial and aviation sectors in Russia using the CapDoor backdoor and SectopRAT. Additionally, the vulnerability was used to breach the email provider Cock.li, resulting in the theft of data from over one million users. **Recommendations** Update to version 1.5.10 LTS or 1.6.11. As a temporary workaround, consider disabling file upload functions until the update is applied. Restrict file upload permissions to trusted users only. Monitor web server logs for suspicious requests to the 'program/actions/settings/upload.php' endpoint.