Critical Vulnerabilities in Roundcube Webmail (CVE-2025-49113)

Published On: Jun 16, 2025 08:57

Advisory No: TZCERT-SA-25-0098

Source: Roundcube

Software Affected: Roundcube Webmail

Overview

A critical vulnerability affects Roundcube Webmail. Exploitation of this vulnerability may allow an attacker to execute remote code.

Description

Roundcube Webmail is affected by a vulnerability tracked as CVE-2025-49113 with a CVSS score of 9.9. The vulnerability results from the _from parameter in a URL not being validated in program/actions/settings/upload.php, leading to PHP Object Deserialization. Upon successful exploitation, the vulnerability allows authenticated attackers to execute remote code.

Impact

Successful exploitation of this vulnerability may allow the attackers to take control of the affected system.

Solution

Roundcube has released security patches for this vulnerability. Users and administrators are encouraged to apply necessary updates.

References

1. https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10
2. https://security.archlinux.org/ASA-202506-1/generate
3. https://github.com/roundcube/roundcubemail/releases/tag/1.6.11