A critical vulnerability, present for a decade in Roundcube webmail software, has been uncovered, allowing authenticated users to execute malicious code. This flaw, with a CVSS score of 9.9, affects millions of installations globally, including those bundled with popular hosting control panels. Immediate patching is strongly advised.

Decade-Old Flaw Uncovered in Roundcube Webmail

Cybersecurity researchers have revealed a critical security flaw, tracked as CVE-2025-49113, in the widely used Roundcube webmail software. This vulnerability, which has gone unnoticed for approximately ten years, could enable authenticated users to gain control of susceptible systems and execute arbitrary code. The flaw has been assigned a severe CVSS score of 9.9 out of 10.0, highlighting its significant risk.

Technical Details of the Vulnerability

The vulnerability is described as a case of post-authenticated remote code execution (RCE) via PHP object deserialization. Specifically, the issue arises because the parameter in a URL within is not properly validated. This oversight allows malicious manipulation of serialized PHP objects, leading to arbitrary code execution on the server.

• The flaw impacts all Roundcube Webmail versions prior to 1.5.10 and 1.6.x before 1.6.11.

• It has been addressed in versions 1.6.11 and 1.5.10 LTS.

• Kirill Firsov, founder and CEO of FearsOff, is credited with the discovery and reporting of this critical flaw.

Widespread Impact and Previous Exploits

This vulnerability has a broad scope of impact, potentially affecting over 53 million hosts worldwide. This includes systems using popular web hosting control panels such as cPanel, Plesk, ISPConfig, and DirectAdmin, which often bundle Roundcube as their default webmail solution.

Roundcube has historically been a target for sophisticated threat actors. Previous vulnerabilities in the platform have been exploited by nation-state groups like APT28 and Winter Vivern. For instance:

• Last year, unidentified hackers attempted to exploit a Roundcube flaw (CVE-2024-37383) in phishing campaigns aimed at stealing user credentials.

• More recently, APT28 leveraged cross-site scripting (XSS) vulnerabilities in various webmail servers, including Roundcube, to harvest confidential data from governmental entities and defense companies in Eastern Europe.

Urgent Call for Updates

Given the severity and widespread potential impact of CVE-2025-49113, organizations using Roundcube Webmail are strongly urged to prioritize immediate patching. The Centre for Cybersecurity Belgium has issued urgent warnings, recommending that updates be installed with the highest priority after thorough testing. FearsOff plans to release comprehensive technical details and a proof-of-concept (PoC) soon, following responsible disclosure practices to allow sufficient time for affected parties to implement necessary patches. Organizations should also enhance monitoring capabilities to detect any suspicious activities that might indicate attempted exploitation.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Critical 10-Year-Old Roundcube Webmail Bug Allows Authenticated Users Run Malicious Code, The Hacker News.

• 10-Year-Old Roundcube RCE Vulnerability Let Attackers Execute Malicious Code, CybersecurityNews.