Critical Vulnerability Found in Roundcube Webmail: What You Need to Know

Cybersecurity researchers have uncovered a major security flaw in the widely-used Roundcube webmail software, which has remained undetected for over a decade. This vulnerability could potentially allow attackers to take control of affected systems and execute arbitrary code. The flaw, tracked as CVE-2025-49113, has a critical CVSS score of 9.9 out of 10, signaling the severity of the risk.

The vulnerability is related to post-authenticated remote code execution through PHP object deserialization. It specifically affects versions of Roundcube before 1.5.10 and 1.6.x before 1.6.11, allowing an authenticated attacker to exploit the flaw by sending malicious input via the _from parameter in a URL, which is not validated properly in the upload.php script. This oversight could lead to remote code execution.

The issue has been addressed in versions 1.5.10 and 1.6.11 LTS. The flaw was first reported by Kirill Firsov, CEO of FearsOff, a Dubai-based cybersecurity firm, which also plans to release a proof-of-concept to help users patch their systems. This newly disclosed vulnerability is not the first time Roundcube has been targeted, as previous security flaws in the software have attracted the attention of advanced threat actors, including APT28 and Winter Vivern. These actors have exploited vulnerabilities in Roundcube to target governmental and defense entities, particularly in Eastern Europe.

What Undercode Say:

The discovery of the Roundcube vulnerability underscores a significant issue in the software security landscape. For over a decade, this flaw remained under the radar, posing a critical threat to millions of users worldwide. The fact that it could have been exploited by any authenticated user highlights the severity of the risk, as many organizations rely on Roundcube for secure communication. The flaw is a classic example of how even minor code oversights—like an unvalidated parameter—can be leveraged for catastrophic consequences.

What makes this flaw particularly alarming is its timing. As more businesses shift to digital communication platforms, webmail servers like Roundcube become a prime target for cybercriminals and nation-state actors. The growing sophistication of cyber-attacks, especially those targeting government entities and defense organizations, means that security flaws in widely-used platforms could lead to significant data breaches and compromises.

It’s also worth noting the pattern of ongoing vulnerabilities found in Roundcube. In 2024, a previous flaw (CVE-2024-37383) was exploited by hackers in a phishing attack aimed at stealing user credentials. Moreover, the fact that Roundcube is increasingly targeted by sophisticated threat actors like APT28, who have leveraged cross-site scripting (XSS) vulnerabilities in the past, signals a broader issue in the security posture of webmail software.

Another critical aspect of this vulnerability is how it was disclosed. The fact that the flaw was reported by FearsOff and the intention to release a proof-of-concept (PoC) in the near future indicates the growing trend of responsible disclosure in the cybersecurity industry. This ensures that users have enough time to patch their systems before the flaw is publicly exploited.

As more technical details emerge, it’s clear that businesses using Roundcube must act quickly to mitigate the risks posed by this vulnerability. Applying the patch should be a priority for administrators, and given the software’s widespread use, organizations must prioritize regular security audits of their systems to stay ahead of emerging threats.

Fact Checker Results:

🔍 Severity: CVE-2025-49113 is a critical vulnerability with a CVSS score of 9.9/10, reflecting its high exploitability and impact.
🔍 Exploited By: Previous vulnerabilities in Roundcube have been exploited by advanced persistent threats like APT28 and Winter Vivern, confirming the serious nature of the threat.
🔍 Patch Availability: Patches for versions 1.5.10 and 1.6.11 LTS have been released, addressing the critical flaw and mitigating the risk of exploitation.

Prediction:

🚀 Increased Exploitation: As more technical details and PoCs become available, it’s highly probable that cybercriminals will begin exploiting this vulnerability. Organizations that fail to apply the latest patches are likely to be targeted in the coming months.
🚀 Shift in Attack Targets: Given the evolving nature of threats, we can anticipate that other widely-used webmail servers could also face similar vulnerabilities, leading to a wave of attacks aimed at government, defense, and private sector email systems.
🚀 Long-term Security Implications: This flaw could trigger a renewed focus on webmail security protocols and lead to more stringent standards for software vulnerability management in the future.