CVE-2025-49113 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-06-02

Added to CISA KEV: 2026-02-20 263 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Immediately update to Roundcube 1.5.10 or 1.6.11+ depending on version branch
Monitor web server logs for suspicious requests to /program/actions/settings/upload.php with malformed _from parameters
Implement network segmentation and access controls for webmail servers
Review user accounts for unauthorized administrative access or privilege escalation

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-49113 is a critical remote code execution (RCE) vulnerability affecting Roundcube Webmail, which has been assigned a high CVSS score (9.9) ^[1].

Vulnerability Overview

Nature of Flaw: The vulnerability stems from insecure PHP object deserialization and improper handling of the `_from` parameter in a URL ^[3] ^[2].
Impact: Successful exploitation allows an authenticated attacker to execute arbitrary code on the underlying server, effectively granting them control over the webmail application ^[3] ^[5].

Exploitation Details

Requirements: The attack requires the user to be authenticated to the Roundcube Webmail instance ^[2] ^[5]. It is a network-based attack, as it can be triggered via a crafted URL ^[5].
Proof-of-Concept (PoC): Multiple PoC exploit scripts have been publicly released and are available on platforms like GitHub, demonstrating how the vulnerability can be weaponized ^[4] ^[3].
Active Exploitation: The vulnerability was significant enough to be added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog, indicating that it has been observed in active exploitation in the wild ^[1].

Affected Versions and Mitigation

Affected Versions:

* Roundcube Webmail versions prior to 1.5.10 ^[2]. * Roundcube Webmail versions in the 1.6.x branch prior to 1.6.11 ^[2].

Status: This is a patched vulnerability. Users are strongly advised to update their Roundcube installations to version 1.5.10, 1.6.11, or later to mitigate the risk of exploitation ^[2].

While specific details regarding its use in large-scale ransomware campaigns versus targeted attacks are not always publicly attributed in detail, its inclusion in the CISA KEV catalog confirms it is a high-priority target for threat actors ^[1].

Sources

CISA adds Roundcube webmail RCE CVE-2025-49113 to KEV after sale
The vulnerabilities are CVE-2025-49113, a deserialization leading to remote code execution (CVSS 9.9), and CVE-2025-68461, a cross-site scripting flaw via the animate tag in an SVG document (CVSS 7.2).
CVE-2025-49113 Detail - NVD
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not ...
GitHub - Zwique/CVE-2025-49113: POC of CVE-2025-49113
This repository contains a Proof-of-Concept (PoC) exploit for CVE-2025-49113, a critical remote code execution vulnerability in Roundcube Webmail versions prior to 1.5.10 and 1.6.11. The vulnerability arises from insecure PHP object deserialization in the upload.php script, allowing authenticated us…
GitHub - hakaioffsec/CVE-2025-49113-exploit: Proof of Concept ...
This exploit targets a deserialization vulnerability in Roundcube Webmail versions 1.5.0 through 1.6.10. The vulnerability allows an authenticated attacker to ... CVE-2025-49113 - Roundcube Remote Code Execution A proof-of-concept exploit for CVE-2025-49113, a remote code execution vulnerability in…
CVE-2025-49113 - Remote Code Execution in Roundcube Webmail via ...
CVE-2025-49113 is a critical vulnerability affecting Roundcube Webmail (before version 1.5.10 and 1.6.x before 1.6.11). If you’re running one of these versions, your email system could be wide open to remote code execution (RCE) attacks— even just from a regular logged-in user.