Latest Roundcube Webmail vulnerability #
A vulnerability has been disclosed in Roundcube Webmail stable versions from 1.5 prior to 1.5.10, and stable versions 1.6 prior to 1.6.11 that would allow a remote, authenticated attacker to perform remote code execution (RCE) due to deserialization of untrusted data. The _from parameter in a URL is not validated in program/actions/settings/upload.php, resulting in untrusted PHP Object Deserialization. This vulnerability has existed within the product for approximately 10 years.
This vulnerability has been designated CVE-2025-49113 and has a CVSS score of 9.9 (critical).
What is the impact? #
Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code on the vulnerable system, potentially leading to complete system compromise.
Are any updates or workarounds available? #
Roundcube has released updates to mitigate this issue. Users are encouraged to update to the latest stable version as quickly as possible.
- For Roundcube Webmail stable version 1.5, update to version 1.5.10 or later.
- For Roundcube Webmail stable version 1.6, update to version 1.6.11 or later.
How do I find Roundcube Webmail installations with runZero? #
From the Service Inventory, use the following query to locate potentially impacted assets:
_asset.protocol:http AND protocol:http AND ((has:html.title AND html.title:="RoundCube%") OR (has:favicon.ico.image.md5 AND (favicon.ico.image.md5:="924a68d347c80d0e502157e83812bb23" OR favicon.ico.image.md5:="f1ac749564d5ba793550ec6bdc472e7c" OR favicon.ico.image.md5:="ef9c0362bf20a086bb7c2e8ea346b9f0")))