Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Critical PHP Deserialization Vulnerability in Roundcube Webmail, Patch Immediately!
Image
Published : 02/06/2025
- Last update: 02/06/2025
- Affected software: Roundcube Webmail
- Type:
→ CWE-502 Deserialization of Untrusted Data
→ Remote code execution (RCE)- CVE/CVSS:
→ CVE-2025-49113: CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
Sources
https://nvd.nist.gov/vuln/detail/CVE-2025-49113
Risks
A critical security vulnerability has been identified in Roundcube Webmail that allows a Post-Authentication Remote Code Execution (RCE) via PHP Object Deserialization. The vulnerability poses a high risk to the confidentiality, integrity, and availability (CIA) of affected systems.
Although there is currently no public indication that this vulnerability is being actively exploited in the wild, previous vulnerabilities in Roundcube have been reportedly exploited at scale.
Vulnerability CVE-2025-49113 became actively exploited with evidence thereof sold in underground forums within 48 hours of the vulnerability becoming publicly known. On 2025-06-06, details on a successful attack were demonstrated in a publicly released proof-of-concept (PoC) exploit in a move to allow defenders to understand the full technical details. As a side-effect the PoC release increases the risk of successful exploitation by malicious actors.
Description
CVE-2025-49113, CVSS 9.9
This vulnerability stems from unsafe PHP object deserialization in the Roundcube Webmail platform. Authenticated users can exploit the flaw by submitting a specially crafted _from parameter to program/actions/settings/upload.php. This parameter is not properly validated, allowing manipulation of serialized PHP objects to execute arbitrary PHP code on the server.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing. The issues should be fixed in versions 1.5.10 and 1.6.11.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
Impacted users are advised to patch immediately and monitor file uploads and session activity in the meantime.
References
https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
https://github.com/roundcube/roundcubemail/releases/tag/1.5.10
https://github.com/roundcube/roundcubemail/releases/tag/1.6.11
https://fearsoff.org/research/roundcube