CVE-2025-49113

What is Roundcube Webmail?

Roundcube is one of the most widely deployed open-source webmail platforms, providing browser-based IMAP email access for millions of users globally. It is bundled with cPanel, Plesk, ISPConfig, DirectAdmin, and other popular web hosting control panels — meaning a single vulnerability affects a vast number of shared hosting environments simultaneously. Roundcube has been repeatedly targeted by state-sponsored threat actors (particularly APT28/Fancy Bear and Winter Vivern) because email access provides intelligence on user communications, credentials, and organizational activities. A code execution vulnerability on the Roundcube server grants the attacker access to all mail data for all users on the instance.

Overview

CVE-2025-49113 is a critical PHP object deserialization vulnerability (CWE-502, CVSS 9.9) in Roundcube Webmail. The _from URL parameter in the settings upload action (program/actions/settings/upload.php) is passed to session handling code without adequate sanitization. A specially crafted _from value corrupts the session state and injects a malicious serialized PHP object, triggering arbitrary code execution in the context of the webmail server. Exploitation requires a valid authenticated session (any regular user account), hence PR:L. The vulnerability existed undetected for approximately 10 years. An exploit appeared on underground forums within 48 hours of the patch; Shadowserver counted 84,925 vulnerable internet-exposed instances one week later. CISA added it to the KEV catalog in February 2026.

Affected Versions

Technical Details

The vulnerability (CWE-502) is in program/actions/settings/upload.php. The function processes the _from URL parameter via rcube_utils::get_input_string(), strips an add- or edit- prefix via regex, and replaces dots with hyphens — but applies no further sanitization. The processed value is then used to reference a session variable name.

When the _from value begins with !, PHP's session handling mechanism interprets this as a special session namespace indicator. By crafting a _from value that begins with ! followed by a serialized PHP object, an attacker can corrupt the session state in a way that causes PHP to deserialize the malicious object during session processing. This triggers a PHP gadget chain available in Roundcube's dependency set, ultimately executing arbitrary OS commands as the web server user.

Exploitation requires a valid Roundcube user account (PR:L), but any regular mailbox user is sufficient — no administrative privileges are needed. The CVSS Scope:Changed (S:C) rating reflects that the OS command execution crosses the PHP application boundary to the underlying server.

Discovery

Discovered by Kirill Firsov (founder/CEO of FearsOff). Firsov described the situation as "email armageddon" and published technical details to help defenders, after observing that attackers had already reverse-engineered the patch within 48 hours of release and began actively exploiting the vulnerability.

Exploitation Context

Exploit appeared on underground cybercriminal forums within 48 hours of the June 1, 2025 patch. Shadowserver Foundation counted 84,925 vulnerable internet-exposed Roundcube instances as of June 8, 2025. Roundcube's bundling with cPanel, Plesk, ISPConfig, and DirectAdmin amplifies the attack surface to cover a substantial fraction of shared web hosting globally. CISA added CVE-2025-49113 to the KEV catalog on 20 February 2026 alongside companion CVE-2025-68461 (a Roundcube XSS). Historical Roundcube attackers include APT28 (Russian GRU) and Winter Vivern (Belarus/Russia-linked) — both known to target webmail for email intelligence. Rapid7 published a Metasploit module for the vulnerability.

Remediation

1. Upgrade Roundcube immediately to 1.6.11 (for 1.6.x installs) or 1.5.10 (for 1.5.x installs). For cPanel/Plesk/DirectAdmin/ISPConfig deployments, apply the hosting panel's built-in Roundcube update.
2. Verify the installed version: check program/include/iniset.php or /etc/roundcubemail/config.inc.php for the $rcmail_config['version'] value.
3. Audit user accounts for unauthorized email access or forwarding rules added by attackers post-exploitation.
4. Review web server logs for unusual requests to /program/actions/settings/upload.php with anomalous _from parameter values — particularly values starting with !.
5. Also apply CVE-2025-68461 patch — the same 1.6.11/1.5.10 release addresses this companion XSS vulnerability.
6. Restrict Roundcube access to authenticated users only — disable guest/anonymous access. Consider IP-restricting admin-level functions.