PT-2025-23462 · Unknown+5 · Roundcube Webmail+5

Firs0V

·

Published

2019-11-09

·

Updated

2026-07-09

·

CVE-2025-49113

CVSS v3.1

9.9

Critical

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions prior to 1.5.10 Roundcube Webmail versions 1.6.x prior to 1.6.11
Description Authenticated users can achieve remote code execution due to PHP Object Deserialization. The issue occurs because the from parameter in the URL is not properly validated within the 'program/actions/settings/upload.php' endpoint. This flaw has been present in the codebase for over a decade and has been exploited by nation-state actors, including APT28 and Winter Vivern, to target critical communication systems. Real-world incidents include the compromise of the email provider Cock.li, resulting in the theft of data from over one million users. It is estimated that over 85,000 Roundcube servers have been targeted by attacks.
Recommendations Update Roundcube Webmail to version 1.5.10 LTS. Update Roundcube Webmail to version 1.6.11. As a temporary mitigation, consider disabling file upload functions until the update is applied. Restrict file upload permissions to trusted users only. Monitor web server logs for suspicious requests to the 'program/actions/settings/upload.php' endpoint.

Exploit

Fix

DoS

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

ALT-PU-2019-3109
ALT-PU-2020-1898
ALT-PU-2020-2367
ALT-PU-2025-1825
ALT-PU-2025-8283
BDU:2025-06366
CVE-2025-49113
DLA-4211-1
DSA-5934-1
GHSA-8J8W-WWQC-X596
MGASA-2025-0185
USN-7584-1

Affected Products

Alt Linux
Debian
Linuxmint
Red Os
Roundcube Webmail
Ubuntu