Warning: Critical PHP Deserialization Vulnerability in Roundcube Webmail, Patch Immediately!

Image
Decorative image
Gepubliceerd : 02/06/2025
  • Last update: 02/06/2025
  • Affected software: Roundcube Webmail
  • Type:
    → CWE-502 Deserialization of Untrusted Data
    → Remote code execution (RCE)
  • CVE/CVSS:
    → CVE-2025-49113: CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Sources

https://nvd.nist.gov/vuln/detail/CVE-2025-49113

Risks

A critical security vulnerability has been identified in Roundcube Webmail that allows a Post-Authentication Remote Code Execution (RCE) via PHP Object Deserialization. The vulnerability poses a high risk to the confidentiality, integrity, and availability (CIA) of affected systems.

Although there is currently no public indication that this vulnerability is being actively exploited in the wild, previous vulnerabilities in Roundcube have been reportedly exploited at scale.

Description

CVE-2025-49113, CVSS 9.9

This vulnerability stems from unsafe PHP object deserialization in the Roundcube Webmail platform. Authenticated users can exploit the flaw by submitting a specially crafted _from parameter to program/actions/settings/upload.php. This parameter is not properly validated, allowing manipulation of serialized PHP objects to execute arbitrary PHP code on the server.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing. The issues should be fixed in versions 1.5.10 and 1.6.11.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
https://github.com/roundcube/roundcubemail/releases/tag/1.5.10
https://github.com/roundcube/roundcubemail/releases/tag/1.6.11