CVE-2025-49113 – CVE-2025-49113 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2025-49113?

CVE-2025-49113 has a CVSS score of 9.9 (CRITICAL). CVE-2025-49113 is a critical remote code execution vulnerability in Roundcube Webmail affecting authenticated users. It allows attackers to execute arbitrary PHP code on the server by exploiting improper validation of the _from parameter in upload.php, leading to PHP object deserialization. All Roundcube installations running vulnerable versions are affected.

📋 TL;DR

CVE-2025-49113 is a critical remote code execution vulnerability in Roundcube Webmail affecting authenticated users. It allows attackers to execute arbitrary PHP code on the server by exploiting improper validation of the _from parameter in upload.php, leading to PHP object deserialization. All Roundcube installations running vulnerable versions are affected.

💻 Affected Systems

Products:

Roundcube Webmail

Versions: Roundcube versions before 1.5.10 and 1.6.x before 1.6.11

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access, but any valid user account can potentially exploit this vulnerability.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to execute arbitrary commands, access sensitive data, install malware, pivot to internal networks, and maintain persistent access.

🟠

Likely Case

Unauthorized access to email accounts, data exfiltration, installation of web shells, and potential lateral movement within the network.

🟢

If Mitigated

Limited impact with proper network segmentation, strong authentication controls, and monitoring in place, potentially containing the attack to the webmail server.

🌐 Internet-Facing: HIGH - Roundcube webmail servers are typically internet-facing, making them accessible to attackers worldwide.

🏢 Internal Only: MEDIUM - Internal-only deployments reduce external attack surface but remain vulnerable to insider threats or compromised internal accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is relatively straightforward once an attacker has valid credentials. Public proof-of-concept code exists in research publications.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Roundcube 1.5.10 and 1.6.11

Vendor Advisory: https://github.com/roundcube/roundcubemail/security/advisories

Restart Required: No

Instructions:

1. Backup your Roundcube installation and database. 2. Download the patched version (1.5.10 or 1.6.11) from the official Roundcube repository. 3. Replace the vulnerable files with the patched version. 4. Verify the installation works correctly. 5. Clear any cached PHP files if applicable.

🔧 Temporary Workarounds

Disable file upload functionality

linux

Temporarily disable the vulnerable upload.php functionality by restricting access or removing the file

mv /path/to/roundcube/program/actions/settings/upload.php /path/to/roundcube/program/actions/settings/upload.php.disabled

Implement WAF rules

all

Add web application firewall rules to block requests containing suspicious _from parameter patterns

🧯 If You Can't Patch

Implement strict access controls and multi-factor authentication for all Roundcube user accounts
Isolate the Roundcube server in a DMZ with strict network segmentation and outbound traffic monitoring

🔍 How to Verify

Check if Vulnerable:

Check your Roundcube version by examining the version.php file or Roundcube interface. If version is below 1.5.10 or 1.6.11, you are vulnerable.

Check Version:

grep -r "\$version" /path/to/roundcube/version.php | head -1

Verify Fix Applied:

After patching, verify the version shows 1.5.10 or 1.6.11. Check that the upload.php file contains the security fixes from the referenced GitHub commits.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /program/actions/settings/upload.php with _from parameter
Multiple failed authentication attempts followed by successful login and upload.php access
PHP errors related to deserialization or unexpected object instantiation

Network Indicators:

Unusual outbound connections from the webmail server
HTTP requests with serialized PHP objects in parameters

SIEM Query:

source="webmail_logs" AND (url="/program/actions/settings/upload.php" AND params CONTAINS "_from")

📊 Metadata

CVE ID: CVE-2025-49113

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 91.84% exploit probability (99.7th percentile)

Published: June 2, 2025

Last Updated: February 23, 2026

🔗 References

https://fearsoff.org/research/roundcube Third Party Advisory
https://github.com/roundcube/roundcubemail/commit/0376f69e958a8fef7f6f09e352c541b4e7729c4d Patch
https://github.com/roundcube/roundcubemail/commit/7408f31379666124a39f9cb1018f62bc5e2dc695 Patch
https://github.com/roundcube/roundcubemail/commit/c50a07d88ca38f018a0f4a0b008e9a1deb32637e Patch
https://github.com/roundcube/roundcubemail/pull/9865 Issue Tracking
https://github.com/roundcube/roundcubemail/releases/tag/1.5.10 Release Notes
https://github.com/roundcube/roundcubemail/releases/tag/1.6.11 Release Notes
https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10 Vendor Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-script Exploit,Mitigation,Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-vulnerability-detection Exploit,Mitigation,Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/06/02/3 Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/06/msg00008.html Mailing List,Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49113 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-49113, you might also want to check these: