A decade-old crucial safety vulnerability has been found in Roundcube Webmail that might permit authenticated attackers to execute arbitrary code on susceptible programs, doubtlessly affecting thousands and thousands of installations worldwide.
The flaw, tracked as CVE-2025-49113, carries an alarming CVSS rating of 9.9 out of 10.0, marking it as one of the vital extreme vulnerabilities found in recent times.
The vulnerability impacts all Roundcube Webmail variations earlier than 1.5.10 and 1.6.x earlier than 1.6.11, representing a staggering scope of influence that features over 53 million hosts globally.
The flaw notably issues fashionable internet hosting management panels equivalent to cPanel, Plesk, ISPConfig, and DirectAdmin, which bundle Roundcube as their default webmail resolution.
10-Yr-Outdated Roundcube RCE Vulnerability
Kirill Firsov, founder and CEO of Dubai-based cybersecurity agency FearsOff, found this post-authenticated distant code execution vulnerability that exploits PHP object deserialization.
The safety flaw stems from inadequate validation of the _from parameter within the URL throughout the program/actions/settings/add.php file, enabling malicious customers to control serialized PHP objects and execute arbitrary code on the server.
Roundcube has traditionally been a primary goal for superior persistent risk teams. Earlier vulnerabilities within the webmail platform have been exploited by nation-state actors together with APT28 and Winter Vivern.
Final yr, unidentified hackers tried to use CVE-2024-37383 in phishing assaults geared toward stealing consumer credentials.
Extra lately, ESET researchers documented APT28’s exploitation of cross-site scripting vulnerabilities in numerous webmail servers, together with Roundcube, to reap confidential knowledge from governmental entities and protection firms in Japanese Europe.
The Centre for Cybersecurity Belgium has issued pressing warnings, strongly recommending that organizations set up updates with the very best precedence after thorough testing. Fastened variations at the moment are out there with Roundcube Webmail 1.6.11 and 1.5.10 LTS addressing the vulnerability.
FearsOff has indicated plans to publish complete technical particulars and proof-of-concept code “quickly,” following accountable disclosure practices to permit enough time for affected events to implement crucial patches.
This strategy demonstrates the cybersecurity group’s dedication to offering organizations ample time to safe their programs earlier than detailed exploitation strategies develop into public.
Organizations utilizing Roundcube Webmail ought to prioritize instant patching and implement enhanced monitoring capabilities to detect any suspicious actions which may point out tried exploitation of this crucial vulnerability.
Pace up and enrich risk investigations with Risk Intelligence Lookup! -> 50 trial search requests
