Remote Code Execution Vulnerability in Roundcube Webmail by Roundcube
CVE-2025-49113
Key Information:
Badges
What is CVE-2025-49113?
CVE-2025-49113 is a remote code execution vulnerability found in Roundcube Webmail, an open-source webmail software widely used for accessing email through a web interface. This vulnerability arises from the improper validation of the _from parameter in a specific URL related to file uploads. As a result, authenticated users can exploit this flaw to execute arbitrary PHP code on the server, potentially compromising the integrity and security of the webmail application and any data associated with it. Organizations using affected versions of Roundcube Webmail may face severe operational disruptions, data loss, and unauthorized access as a direct consequence of this vulnerability.
Potential impact of CVE-2025-49113
-
Remote Code Execution: The primary impact of CVE-2025-49113 is the ability for authenticated users to execute arbitrary code on the server. This can lead to unauthorized access, modification, or deletion of sensitive data stored within the webmail application.
-
Data Breach and Information Disclosure: Exploitation of this vulnerability can result in significant data breaches, as attackers could gain access to confidential emails, user credentials, and other personal information. This not only jeopardizes user privacy but also exposes organizations to legal and regulatory repercussions.
-
Service Disruption: A successful exploit could allow attackers to disrupt services by manipulating webmail functionalities, potentially leading to downtime or loss of service availability, which can significantly affect organizational productivity and service reliability.
Affected Version(s)
Webmail 0 < 1.5.10
Webmail 1.6.0 < 1.6.11
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Over 80,000 servers hit as roundcube RCE bug gets rapidly exploited
A critical remote code execution (RCE) vulnerability in Roundcube was exploited days after patch, impacting over 80,000 servers.
2 weeks ago
Round Cube Vulnerability
Patching Guidance Due to a vulnerability in Roundcube, both Plesk and cPanel require an update, which should be automatically picked up. However, users are recommended to force the update through. If you need...
2 weeks ago
PoC Code Escalates Roundcube Vuln Threat
The flaw allows an authenticated attacker to gain complete control over a Roundcube webmail server.
2 weeks ago
References
EPSS Score
75% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 🟡
Public PoC available
- 📈
Vulnerability started trending
- 👾
Exploit known to exist
- 📰
First article discovered by The Hacker News
Vulnerability published
Vulnerability Reserved