Greater than 80,000 Roundcube webmail servers are affected by a critical-severity distant code execution (RCE) vulnerability that has already been exploited in assaults.
Tracked as CVE-2025-49113 (CVSS rating of 9.9), the flaw is described as a post-authentication RCE by way of PHP Object Deserialization and impacts all Roundcube variations launched over the previous decade (1.1.0 by way of 1.6.10).
Based on safety researcher Kirill Firsov, who reported the safety defect, the foundation trigger is a flawed logic incorrectly evaluating variable names that start with an exclamation mark (!), which ends up in session corruption and PHP Object Injection.
The shortage of sanitization of a selected parameter permits an attacker to incorporate a payload within the title of information to be uploaded, leading to information being injected within the present session, Firsov says.
The vulnerability has remained hidden in Roundcube’s code for greater than 10 years, it may be reproduced on default installations, requires no dependencies, and its exploitation just isn’t detected by firewalls, the researcher notes.
“This vulnerability impacts Roundcube variations 1.1.0 by way of 1.6.10, together with default installs in cPanel, Plesk, ISPConfig, and others,” he says.
Firsov additionally warned that risk actors devised exploit code for the bug inside days after patches have been included in Roundcube variations 1.6.11 and 1.5.10, which have been launched on June 1.
“The exploit for CVE-2025-49113 is already accessible on the market on the darkish net. I really feel sorry for anybody who hasn’t upgraded to the most recent model but,” the researcher warned on June 4.Commercial. Scroll to proceed studying.
Over the weekend, The Shadowserver Basis warned that roughly 84,000 unpatched Roundcube situations have been seen on the web. As of June 9, their information reveals greater than 85,000 susceptible servers.
Profitable exploitation of the safety defect requires a sound username and password, however the risk actor promoting the exploit claims that credentials might be brute-forced or extracted from logs.
Actually, CERT Poland on Friday warned that risk actors are exploiting a Roundcube XSS flaw in a spear-phishing marketing campaign geared toward credential theft. CERT Poland attributed the exercise to the Belarusian hacking group UNC1151.
Tracked as CVE-2024-42009, the flaw results in JavaScript code execution when opening an electronic mail. The US cybersecurity company CISA added the safety defect to its Recognized Exploited Vulnerabilities (KEV) catalog on Wednesday, urging federal companies to patch it by June 30.
Associated: Roundcube Webmail Vulnerability Exploited in Authorities Assault
Associated: CISA Warns of Exploited GeoServer, Linux Kernel, and Roundcube Vulnerabilities
Associated: Russian Cyberspies Exploit Roundcube Flaws In opposition to European Governments
