CVE-2025-49113

Name of the Vulnerable Software and Affected Versions Roundcube versions prior to 1.6.11

Description Roundcube Webmail is vulnerable to a critical remote code execution (RCE) vulnerability (CVE-2025-49113) due to improper validation of the from parameter in a URL. This allows authenticated attackers to execute arbitrary code on the server. The vulnerability has been actively exploited and a proof-of-concept exploit is publicly available. The flaw has existed for approximately 10 years and affects a large number of installations, including those bundled with cPanel, Plesk, and ISPConfig. The vulnerability stems from insecure deserialization of untrusted data. Exploitation can lead to full system compromise. Over 84,000 systems are estimated to be vulnerable, and reports indicate active exploitation in the wild. The vulnerability affects versions up to and including 1.6.10.

Recommendations Update Roundcube to version 1.6.11 or later immediately. If updating is not possible, restrict access to the upload.php file and consider disabling the upload functionality until a patch can be applied. Monitor system logs for suspicious activity.