CVE-2024-37385 – This vulnerability allows remote command inject... (How to Fix)

Q: What is the severity of CVE-2024-37385?

CVE-2024-37385 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote command injection in Roundcube Webmail on Windows systems through the im_convert_path and im_identify_path parameters. Attackers can execute arbitrary commands on the server with the privileges of the web server process. This affects Roundcube Webmail installations on Windows that haven't been patched for CVE-2020-12641.

📋 TL;DR

This vulnerability allows remote command injection in Roundcube Webmail on Windows systems through the im_convert_path and im_identify_path parameters. Attackers can execute arbitrary commands on the server with the privileges of the web server process. This affects Roundcube Webmail installations on Windows that haven't been patched for CVE-2020-12641.

💻 Affected Systems

Products:

Roundcube Webmail

Versions: Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Windows installations due to path handling differences. This is an incomplete fix for CVE-2020-12641.

📦 What is this software?

Webmail by Roundcube

View all CVEs affecting Webmail →

Webmail by Roundcube

View all CVEs affecting Webmail →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands, install malware, exfiltrate data, or pivot to other systems.

🟠

Likely Case

Server compromise leading to email data theft, credential harvesting, or use as a foothold for further attacks.

🟢

If Mitigated

Limited impact with proper network segmentation, minimal web server privileges, and command execution restrictions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires authenticated access to Roundcube Webmail interface. Exploitation involves manipulating path parameters to inject commands.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.7 or 1.6.7

Vendor Advisory: https://github.com/roundcube/roundcubemail/releases/tag/1.5.7

Restart Required: Yes

Instructions:

1. Backup current Roundcube installation and database. 2. Download and extract Roundcube 1.5.7 or 1.6.7. 3. Replace existing files with new version. 4. Run update script if needed. 5. Restart web server.

🔧 Temporary Workarounds

Restrict path configuration

all

Set im_convert_path and im_identify_path to safe, hardcoded values in Roundcube configuration

Edit config/config.inc.php and set: $config['im_convert_path'] = 'safe_path'; $config['im_identify_path'] = 'safe_path';

Disable image processing

all

Disable image conversion features that use the vulnerable parameters

Edit config/config.inc.php and set: $config['enable_attachment_thumbnails'] = false;

🧯 If You Can't Patch

Implement strict input validation for path parameters in application code
Run Roundcube with minimal privileges and in a restricted environment

🔍 How to Verify

Check if Vulnerable:

Check Roundcube version and verify it's below 1.5.7 or 1.6.7 on Windows

Check Version:

Check program/include/iniset.php or index.php for version information

Verify Fix Applied:

Verify Roundcube version is 1.5.7 or higher, or 1.6.7 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in web server logs
Suspicious path parameters containing shell metacharacters

Network Indicators:

Unexpected outbound connections from web server
Command and control traffic patterns

SIEM Query:

web_server_logs WHERE (url CONTAINS 'im_convert_path' OR url CONTAINS 'im_identify_path') AND (url CONTAINS ';' OR url CONTAINS '|' OR url CONTAINS '&' OR url CONTAINS '`')

📊 Metadata

CVE ID: CVE-2024-37385

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 1.09% exploit probability (77.5th percentile)

Published: June 7, 2024

Last Updated: February 6, 2026

🔗 References

https://github.com/roundcube/roundcubemail/commit/5ea9f37ce39374b6124586c0590fec7015d35d7f Patch
https://github.com/roundcube/roundcubemail/releases/tag/1.5.7 Release Notes
https://github.com/roundcube/roundcubemail/releases/tag/1.6.7 Release Notes
https://github.com/roundcube/roundcubemail/commit/5ea9f37ce39374b6124586c0590fec7015d35d7f Patch
https://github.com/roundcube/roundcubemail/releases/tag/1.5.7 Release Notes
https://github.com/roundcube/roundcubemail/releases/tag/1.6.7 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37385, you might also want to check these: