CVE-2025-49113

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions prior to 1.5.10 Roundcube Webmail versions 1.6.x prior to 1.6.11

Description Authenticated users can achieve remote code execution due to improper validation of the from parameter in the URL within the 'program/actions/settings/upload.php' endpoint. This flaw leads to PHP Object Deserialization, a process where untrusted data is used to abuse the logic of an application to execute arbitrary code. It is estimated that over 85,000 servers have been targeted by attacks. Real-world exploitation has been linked to nation-state groups such as APT28 and Winter Vivern, as well as the CapFix group, which targeted industrial and aviation sectors in Russia using a backdoor called CapDoor. Additionally, the vulnerability was used to breach the email provider Cock.li, resulting in the theft of data from over one million users.

Recommendations Update to version 1.5.10 LTS. Update to version 1.6.11. As a temporary workaround, consider disabling file upload functions until the update is applied. Restrict file upload permissions to trusted users only. Monitor web server logs for suspicious requests to the 'program/actions/settings/upload.php' endpoint.