Latest Roundcube Webmail vulnerability #

A vulnerability has been disclosed in Roundcube Webmail stable versions from 1.5 prior to 1.5.10, and stable versions 1.6 prior to 1.6.11 that would allow a remote, authenticated attacker to perform remote code execution (RCE) due to deserialization of untrusted data. The _from parameter in a URL is not validated in program/actions/settings/upload.php, resulting in untrusted PHP Object Deserialization. This vulnerability has existed within the product for approximately 10 years.

This vulnerability has been designated CVE-2025-49113 and has a CVSS score of 9.9 (critical).

What is the impact? #

Successful exploitation of this vulnerability would allow an attacker to execute arbitrary code on the vulnerable system, potentially leading to complete system compromise.

Are any updates or workarounds available? #

Roundcube has released updates to mitigate this issue. Users are encouraged to update to the latest stable version as quickly as possible.

  • For Roundcube Webmail stable version 1.5, update to version 1.5.10 or later.
  • For Roundcube Webmail stable version 1.6, update to version 1.6.11 or later.

How do I find Roundcube Webmail installations with runZero? #

From the Service Inventory, use the following query to locate potentially impacted assets:

_asset.protocol:http AND protocol:http AND ((has:html.title AND html.title:="RoundCube%") OR (has:favicon.ico.image.md5 AND (favicon.ico.image.md5:="924a68d347c80d0e502157e83812bb23" OR favicon.ico.image.md5:="f1ac749564d5ba793550ec6bdc472e7c" OR favicon.ico.image.md5:="ef9c0362bf20a086bb7c2e8ea346b9f0")))

Written by Matthew Kienow

More about Matthew Kienow
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.