CVE-2025-49113
RoundCube Webmail Deserialization of Untrusted Data Vulnerability - [Actively Exploited]
Description
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
INFO
Published Date :
June 2, 2025, 5:15 a.m.
Last Modified :
Feb. 23, 2026, 1:24 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
RoundCube Webmail contains a deserialization of untrusted data vulnerability that allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Unknown
https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 ; https://github.com/roundcube/roundcubemail/releases/tag/1.5.10 ; https://github.com/roundcube/roundcubemail/releases/tag/1.6.11 ; https://nvd.nist.gov/vuln/detail/CVE-2025-49113
Affected Products
The following products are affected by CVE-2025-49113
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 3.1 | HIGH | [email protected] |
Solution
- Update Roundcube Webmail to version 1.5.10 or later.
- Update Roundcube Webmail to version 1.6.11 or later.
Public PoC/Exploit Available at Github
CVE-2025-49113 has a 56 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-49113.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-49113 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-49113
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Shell Python
None
None
Python Dockerfile
Curated list of 390+ Free TryHackMe rooms organized by topic • Start hacking today – no premium needed!
None
Python
None
Shell
None
Shell
TryHackMe walkthroughs and CTF writeups for learning cybersecurity, penetration testing, and ethical hacking. NB. this is for practical uses, its not a call for laziness. plesae go through everything.
Python Shell
Hands-on exploitation lab for Roundcube Webmail CVE-2025-49113 (authenticated PHP object deserialization → RCE) to read /secret.txt.
Target Drone CVE Summary
None
None
None
Shell
list of cve from 2001 to 2024
Python
CVE-2025-49113 - Roundcube Remote Code Execution
PHP
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-49113 vulnerability anywhere in the article.
-
CybersecurityNews
CISA Warns of Multiple Roundcube Vulnerabilities Exploited in Attacks
CISA has officially updated its Known Exploited Vulnerabilities (KEV) Catalog to include new security flaws affecting a popular webmail platform. On February 20, 2026, the agency added two critical vu ... Read more
-
The Hacker News
CISA Adds Two Actively Exploited Roundcube Flaws to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added two security flaws impacting Roundcube webmail software to its Known Exploited Vulnerabilities (KEV) catalog, citing ev ... Read more
-
The Hacker News
From Phishing to Malware: AI Becomes Russia's New Cyber Weapon in War on Ukraine
Oct 09, 2025Ravie LakshmananArtificial Intelligence / Malware Russian hackers' adoption of artificial intelligence (AI) in cyber attacks against Ukraine has reached a new level in the first half of ... Read more
-
Daily CyberSecurity
Kaspersky Report: Vulnerabilities Are Exploding, and Attackers Are Adapting
Kaspersky Labs has published its Q2 2025 vulnerability analysis, revealing an alarming rise in both the number of vulnerabilities registered and their exploitation in the wild. The findings show that ... Read more
-
Kaspersky
Exploits and vulnerabilities in Q2 2025
Vulnerability registrations in Q2 2025 proved to be quite dynamic. Vulnerabilities that were published impact the security of nearly every computer subsystem: UEFI, drivers, operating systems, browser ... Read more
-
europa.eu
Cyber Brief 25-07 - June 2025
Cyber Brief (June 2025)July 1, 2025 - Version: 1TLP:CLEARExecutive summaryWe analysed 277 open source reports for this Cyber Brief1.Relating to cyber policy and law enforcement, the EU adopted a bluep ... Read more
-
Cyber Security News
Email Hosting Provider Cock.li Hacked – 1 Million Email Addresses Stolen
A major security breach at email hosting provider Cock[.]li has compromised personal data from over one million users, the company announced in an official statement. The incident specifically targete ... Read more
-
BleepingComputer
Hacker steals 1 million Cock.li user records in webmail data breach
Email hosting provider Cock.li has confirmed it suffered a data breach after threat actors exploited flaws in its now-retired Roundcube webmail platform to steal over a million user records. The incid ... Read more
-
Dark Reading
PoC Code Escalates Roundcube Vuln Threat
Source: Mircea Maties via ShutterstockThe threat associated with a critical decade-old remote code execution vulnerability in Roundcube webmail has increased sharply in recent days, with proof-of-conc ... Read more
-
Help Net Security
Unpatched Wazuh servers targeted by Mirai botnets (CVE-2025-24016)
Two Mirai botnets are exploiting a critical remote code execution vulnerability (CVE-2025-24016) in the open-source Wazuh XDR/SIEM platform, Akamai researchers have warned. What is Wazuh? Wazuh is a p ... Read more
-
Cyber Security News
84,000+ Roundcube Webmail Installation Vulnerable to Remote Code Execution Attacks
A critical security vulnerability affecting Roundcube webmail installations has exposed over 84,000 systems worldwide to remote code execution attacks. The vulnerability, tracked as CVE-2025-49113, al ... Read more
-
security.nl
85.000 RoundCube-mailservers bevatten actief misbruikt RCE-lek
Wereldwijd zijn er ruim 85.000 RoundCube-mailservers die een actief misbruikte kwetsbaarheid bevatten die remote code execution (RCE) mogelijk maakt, waarvan meer dan zeventienhonderd in Nederland. Da ... Read more
-
BleepingComputer
Over 84,000 Roundcube instances vulnerable to actively exploited flaw
Over 84,000 Roundcube webmail installations are vulnerable to CVE-2025-49113, a critical remote code execution (RCE) flaw with a public exploit. The flaw, which impacts Roundcube versions 1.1.0 throug ... Read more
-
Help Net Security
Roundcube RCE: Dark web activity signals imminent attacks (CVE-2025-49113)
With an exploit for a critical Roundcube vulnerability (CVE-2025-49113) being offered for sale on underground forums and a PoC exploit having been made public, attacks exploiting the flaw are incoming ... Read more
-
Daily CyberSecurity
UNC1151 Exploits Roundcube Flaw in Spear Phishing Attack
CERT Polska has sounded the alarm after uncovering a spear phishing campaign that targeted Polish organizations using a critical webmail vulnerability. The campaign is linked to the UNC1151 APT group, ... Read more
-
Cyber Security News
Hackers Exploiting Roundcube Vulnerability to Steal User Credentials
A sophisticated spear phishing campaign targeting Polish organizations, where threat actors successfully exploited the CVE-2024-42009 vulnerability in Roundcube webmail systems. The attack enables Jav ... Read more
-
security.nl
Kritiek RoundCube-lek maakt remote code execution op mailserver mogelijk
Een kritieke kwetsbaarheid in RoundCube maakt remote code execution op mailservers mogelijk. Een beveiligingsupdate is beschikbaar gemaakt en organisaties worden opgeroepen om die meteen te installere ... Read more
-
BleepingComputer
Hacker selling critical Roundcube webmail exploit as tech info disclosed
Hackers are likely starting to exploit CVE-2025-49113, a critical vulnerability in the widely used Roundcube open-source webmail application that allows remote execution. The security issue has been p ... Read more
-
cert.pl
UNC1151 exploiting Roundcube to steal user credentials in a spearphishing campaign
CERT Polska has observed a spear phishing campaign targeting Polish entities this week. The threat actor attempted to exploit the CVE-2024-42009 vulnerability, which allows JavaScript code to be execu ... Read more
-
Daily CyberSecurity
CVE-2025-49113: Roundcube RCE Exploit Unveiled—The Swiss Army Knife of Webmail Just Got a Weaponized Blade
In a stunningly fast-moving sequence of events, a serious vulnerability in the widely-used Roundcube webmail client—CVE-2025-49113—has been disclosed early by security researcher Kirill Firsov, founde ... Read more
The following table lists the changes that have been made to the
CVE-2025-49113 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Feb. 23, 2026
Action Type Old Value New Value Added CWE CWE-502 Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49113 Types: US Government Resource -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Feb. 20, 2026
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49113 -
Initial Analysis by [email protected]
Dec. 22, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:* versions up to (excluding) 1.5.10 *cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:* versions from (including) 1.6.0 up to (excluding) 1.6.11 Added CPE Configuration OR *cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* Added Reference Type MITRE: https://fearsoff.org/research/roundcube Types: Third Party Advisory Added Reference Type MITRE: https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d Types: Patch Added Reference Type MITRE: https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695 Types: Patch Added Reference Type MITRE: https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e Types: Patch Added Reference Type MITRE: https://github.com/roundcube/roundcubemail/pull/9865 Types: Issue Tracking Added Reference Type MITRE: https://github.com/roundcube/roundcubemail/releases/tag/1.5.10 Types: Release Notes Added Reference Type MITRE: https://github.com/roundcube/roundcubemail/releases/tag/1.6.11 Types: Release Notes Added Reference Type MITRE: https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 Types: Vendor Advisory Added Reference Type CVE: http://www.openwall.com/lists/oss-security/2025/06/02/3 Types: Mailing List, Third Party Advisory Added Reference Type CVE: https://lists.debian.org/debian-lts-announce/2025/06/msg00008.html Types: Mailing List, Third Party Advisory Added Reference Type MITRE: https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-script Types: Exploit, Mitigation, Third Party Advisory Added Reference Type MITRE: https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detection Types: Exploit, Mitigation, Third Party Advisory -
CVE Modified by [email protected]
Jun. 12, 2025
Action Type Old Value New Value Added Reference https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-script Added Reference https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detection -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jun. 09, 2025
Action Type Old Value New Value Added Reference https://lists.debian.org/debian-lts-announce/2025/06/msg00008.html -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Jun. 02, 2025
Action Type Old Value New Value Added Reference http://www.openwall.com/lists/oss-security/2025/06/02/3 -
CVE Modified by [email protected]
Jun. 02, 2025
Action Type Old Value New Value Added Reference https://fearsoff.org/research/roundcube -
New CVE Received by [email protected]
Jun. 02, 2025
Action Type Old Value New Value Added Description Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Added CWE CWE-502 Added Reference https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d Added Reference https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695 Added Reference https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e Added Reference https://github.com/roundcube/roundcubemail/pull/9865 Added Reference https://github.com/roundcube/roundcubemail/releases/tag/1.5.10 Added Reference https://github.com/roundcube/roundcubemail/releases/tag/1.6.11 Added Reference https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10