CVE-2025-49113

CVSS v3.1

9.9

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Roundcube versions prior to 1.5.10 and 1.6.x prior to 1.6.11

Description Roundcube Webmail is affected by a critical remote code execution (RCE) vulnerability (CVE-2025-49113) due to improper validation of the

 from

parameter in a URL. This allows an authenticated attacker to execute arbitrary code on the server through PHP object deserialization. The vulnerability has been actively exploited, with proof-of-concept exploits available and reports of exploitation in the wild. Over 84,000 systems are estimated to be vulnerable. The vulnerability has been present for approximately 10 years and impacts systems using Roundcube in environments like cPanel, Plesk, and ISPConfig. The

 from

parameter is used in the upload process, and the lack of validation allows for the injection of serialized PHP objects, leading to code execution.

Recommendations Update Roundcube to version 1.5.10 or later, or to version 1.6.11 or later.

Exploit

Fix

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

BDU:2025-06366

CVE-2025-49113

DLA-4211-1

DSA-5934-1

GHSA-8J8W-WWQC-X596

MGASA-2025-0185

USN-7584-1

Affected Products

Debian

Linuxmint

Red Os

Roundcube Webmail

Ubuntu

CVE-2025-49113

Weakness Enumeration

Related Identifiers

Affected Products

References · 282