PT-2025-23462 · Unknown+5 · Roundcube Webmail+5
Firs0V
·
Published
2019-11-09
·
Updated
2026-07-09
·
CVE-2025-49113
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Roundcube Webmail versions prior to 1.5.10
Roundcube Webmail versions 1.6.x prior to 1.6.11
Description
Authenticated users can achieve remote code execution due to PHP Object Deserialization. The issue occurs because the
from parameter in the URL is not properly validated within the 'program/actions/settings/upload.php' endpoint. This flaw has been present in the codebase for over a decade and has been exploited by nation-state actors, including APT28 and Winter Vivern, to target critical communication systems. Real-world incidents include the compromise of the email provider Cock.li, resulting in the theft of data from over one million users. It is estimated that over 85,000 Roundcube servers have been targeted by attacks.Recommendations
Update Roundcube Webmail to version 1.5.10 LTS.
Update Roundcube Webmail to version 1.6.11.
As a temporary mitigation, consider disabling file upload functions until the update is applied.
Restrict file upload permissions to trusted users only.
Monitor web server logs for suspicious requests to the 'program/actions/settings/upload.php' endpoint.
Exploit
Fix
DoS
RCE
Deserialization of Untrusted Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Debian
Linuxmint
Red Os
Roundcube Webmail
Ubuntu