Critical Flaw in RoundCube Webmail Software Enables Remote Code Execution

By Netvora Tech News

---

A critical vulnerability in RoundCube, an open-source webmail software, allows remote code execution on mail servers, making it a serious concern for organizations that use the software. A security update is available, and organizations are urged to install it immediately. RoundCube is widely used by various organizations, and its flaw lies in its failure to properly control URL parameters, which can lead to PHP Object Deserialization. This vulnerability (CVE-2025-49113) makes it possible for attackers to execute code on the server. To exploit this vulnerability, an attacker must first authenticate themselves on the mail server, which can be achieved by stealing user login credentials. The severity of this vulnerability is high, with a rating of 9.9 out of 10. It was discovered and reported by cybersecurity firm FearsOff, which initially wanted to keep the technical details private. However, given the rapid availability of a patch on GitHub and the fact that attackers have already analyzed and weaponized the vulnerability within 48 hours, the technical details are no longer deemed private. "We believe it is in the interest of defenders, blue teams, and the broader security community to publish a comprehensive technical explanation, but to hold back the proof-of-concept for now," said Kirill Firsov of FearsOff. "Given the active exploitation and evidence that the exploit is being sold in underground forums, I think it's important that organizations update to RoundCube 1.6.11 or 1.5.10 LTS as soon as possible." RoundCube has been a frequent target of attacks in the past.