CVE-2025-49113

CVSS v3.1

9.9

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Roundcube versions prior to 1.6.11 Roundcube versions 1.1.0 through 1.6.10

Description Roundcube Webmail contains a PHP Object Deserialization vulnerability in the from parameter, potentially allowing for remote code execution (RCE) by authenticated users. This vulnerability, tracked as CVE-2025-49113, has a CVSS score of 9.9 and is actively being exploited. A proof-of-concept (PoC) exploit is publicly available. The vulnerability affects versions 1.1.0 through 1.6.10 and has been observed in the wild, with over 84,000 instances potentially vulnerable. The vulnerability stems from improper validation of the from parameter in program/actions/settings/upload.php. Exploitation involves sending a malicious request that leverages PHP object deserialization. The vulnerability has been present for approximately 10 years and has been observed being exploited by threat actors.

Recommendations Update Roundcube to version 1.6.11 or later. If updating is not immediately possible, restrict access to the

upload.php

file.

Exploit

Fix

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

ALT-PU-2019-3109

ALT-PU-2020-1898

ALT-PU-2020-2367

ALT-PU-2025-1825

ALT-PU-2025-8283

BDU:2025-06366

CVE-2025-49113

DLA-4211-1

DSA-5934-1

GHSA-8J8W-WWQC-X596

MGASA-2025-0185

USN-7584-1

Affected Products

Alt Linux

Debian

Linuxmint

Red Os

Roundcube Webmail

Ubuntu

CVE-2025-49113

Weakness Enumeration

Related Identifiers

Affected Products

References · 282