Critical RCE Flaw Patched in Roundcube Webmail: Update Immediately!

Roundcube Webmail, a widely-used browser-based IMAP client, has patched a critical security vulnerability, tracked as CVE-2025-49113 (CVSS 9.9), that could allow remote code execution (RCE) following authentication. The flaw was disclosed by security researcher firs0v, and addressed in the latest releases of the 1.6 and 1.5 LTS branches.

The security update includes a fix for a post-authentication RCE vulnerability via PHP object deserialization. This type of flaw can allow an attacker with valid credentials—or access to an already authenticated session—to execute arbitrary PHP code on the server, posing significant risk to data integrity and server control.

“Fix Post-Auth RCE via PHP Object Deserialization reported by firs0v,” reads the changelog entry, marking the vulnerability as a high-priority issue in the latest releases.

Although technical details are currently limited, deserialization vulnerabilities typically occur when user-controllable input is processed by PHP’s unserialize() function without proper validation—allowing attackers to craft payloads that trigger malicious object behavior.

Roundcube Webmail is a popular solution deployed by individuals, hosting providers, and enterprises alike. Given its widespread use and its direct interaction with email data, a server-side RCE vulnerability—even post-auth—could allow attackers to:

Deploy web shells
Access or alter emails and user data
Use compromised servers for further internal intrusion or spam campaigns

The vulnerability impacts both:

Roundcube 1.6.x
Roundcube 1.5.x (LTS)

Users are urged to upgrade to the latest versions:

These versions also include numerous bug fixes, including improvements to OAuth token refresh, HTML message previews, dark mode rendering, and support for ldapi:// URIs.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply