Critical Vulnerability Discovered in Roundcube Webmail Software
A Decade-Long Flaw Uncovered
Cybersecurity experts have recently brought to light a significant security weakness in the Roundcube webmail platform that has eluded detection for nearly ten years. This vulnerability poses serious risks as it can be exploited by attackers to take control of affected systems and execute arbitrary code.
Overview of the Vulnerability
Identified as CVE-2025-49113, this flaw has a remarkable CVSS score of 9.9 out of 10, indicating its severity. Described as a case of post-authenticated remote code execution through PHP object deserialization, the issue is particularly concerning because it allows authenticated users to execute harmful code remotely.
The National Institute of Standards and Technology (NIST) details that “Roundcube Webmail versions prior to 1.5.10 and 1.6.x before 1.6.11 permit remote code execution by authenticated users due to a lack of validation of the _from parameter in the URL within the program/actions/settings/upload.php file.”
Affected Versions and Remediation
This vulnerability affects all versions before and including 1.6.10. Fortunately, it has been addressed in the newly released versions 1.6.11 and 1.5.10 LTS. Kirill Firsov, the founder and CEO of FearsOff, is credited with discovering and reporting this significant flaw.
Insights from the Cybersecurity Community
FearsOff, based in Dubai, has issued a brief advisory indicating its plans to disclose more technical specifics and a proof-of-concept (PoC) in the near future. This move is intended to give users ample time to implement the necessary security patches before further information is revealed.
Previous Threats and Exploits
Roundcube has previously been targeted by state-sponsored threat actors, including groups like APT28 and Winter Vivern. Last year, Positive Technologies reported efforts by unidentified hackers attempting to exploit a Roundcube vulnerability (CVE-2024-37383) in a phishing campaign aimed at stealing user credentials.
Moreover, just a few weeks ago, ESET revealed that APT28 had exploited cross-site scripting (XSS) vulnerabilities in various webmail services, such as Roundcube, Horde, MDaemon, and Zimbra. These malicious activities were primarily aimed at harvesting sensitive data from email accounts linked to governmental entities and defense contractors in Eastern Europe.
Importance of Timely Updates
The detection of this critical vulnerability is a stark reminder of the ongoing risks faced by users of webmail services. Keeping software updated is fundamental in safeguarding against potential exploits and cyberattacks. Users are strongly encouraged to promptly upgrade to the latest versions of Roundcube to mitigate any risks associated with this vulnerability.
Keeping Informed
For ongoing updates and in-depth analyses of cybersecurity issues, following reputable sources is essential. Platforms like Twitter and LinkedIn often share exclusive content on the latest security vulnerabilities and best practices for protection.
By staying informed and vigilant, users can better protect their data and systems from increasingly sophisticated cyber threats.
