Critical 10-Year-Old Roundcube Webmail Bug Allows Authenticated Users Run Malicious Code

Critical 10-Year-Old Roundcube Webmail Bug Allows Authenticated Users Run Malicious Code

Posted on By CWS

Jun 03, 2025Ravie LakshmananEmail Safety / Vulnerability
Cybersecurity researchers have disclosed particulars of a essential safety flaw within the Roundcube webmail software program that has gone unnoticed for a decade and could possibly be exploited to take over vulnerable methods and execute arbitrary code.
The vulnerability, tracked as CVE-2025-49113, carries a CVSS rating of 9.9 out of 10.0. It has been described as a case of post-authenticated distant code execution through PHP object deserialization.
“Roundcube Webmail earlier than 1.5.10 and 1.6.x earlier than 1.6.11 permits distant code execution by authenticated customers as a result of the _from parameter in a URL just isn’t validated in program/actions/settings/add.php, resulting in PHP Object Deserialization,” reads the outline of the flaw within the NIST’s Nationwide Vulnerability Database (NVD).
The shortcoming, which impacts all variations of the software program earlier than and together with 1.6.10, has been addressed in 1.6.11 and 1.5.10 LTS. Kirill Firsov, founder and CEO of FearsOff, has been credited with discovering and reporting the flaw.

The Dubai-based cybersecurity firm famous in a short advisory that it intends to make public further technical particulars and a proof-of-concept (PoC) “quickly” in order to present customers enough time to use the required patches.

Beforehand disclosed safety vulnerabilities in Roundcube have been a profitable goal for nation-state menace actors like APT28 and Winter Vivern. Final 12 months, Constructive Applied sciences revealed that unidentified hackers tried to use a Roundcube flaw (CVE-2024-37383) as a part of a phishing assault designed to steal consumer credentials.
Then a few weeks in the past, ESET famous that APT28 had leveraged cross-site scripting (XSS) vulnerabilities in numerous webmail servers resembling Roundcube, Horde, MDaemon, and Zimbra to reap confidential information from particular e-mail accounts belonging to governmental entities and protection corporations in Jap Europe.

Discovered this text fascinating? Observe us on Twitter  and LinkedIn to learn extra unique content material we put up.

The Hacker News Tags:, , , , , , , , ,

Related Posts

WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately WinRAR Zero-Day Under Active Exploitation – Update to Latest Version Immediately The Hacker News
China-Linked Tick Group Exploits Lanscope Zero-Day to Hijack Corporate Systems China-Linked Tick Group Exploits Lanscope Zero-Day to Hijack Corporate Systems The Hacker News
Chinese Cybercrime Group Runs Global SEO Fraud Ring Using Compromised IIS Servers Chinese Cybercrime Group Runs Global SEO Fraud Ring Using Compromised IIS Servers The Hacker News
New VVS Stealer Malware Targets Discord Accounts via Obfuscated Python Code New VVS Stealer Malware Targets Discord Accounts via Obfuscated Python Code The Hacker News
CISA Orders Immediate Patch of Critical Sitecore Vulnerability Under Active Exploitation CISA Orders Immediate Patch of Critical Sitecore Vulnerability Under Active Exploitation The Hacker News
MuddyWater Launches RustyWater RAT via Spear-Phishing Across Middle East Sectors MuddyWater Launches RustyWater RAT via Spear-Phishing Across Middle East Sectors The Hacker News