CVE-2025-49113: Roundcube RCE Exploit Unveiled—The Swiss Army Knife of Webmail Just Got a Weaponized Blade

In a stunningly fast-moving sequence of events, a serious vulnerability in the widely-used Roundcube webmail client—CVE-2025-49113—has been disclosed early by security researcher Kirill Firsov, founder of FearsOff. Initially slated for responsible disclosure, the flaw’s technical details were published prematurely due to “attackers already diffing and weaponizing the vulnerability within 48 hours” of a patch being made public on GitHub.

“Given the active exploitation and evidence of the exploit being sold in underground forums, I believe it is in the best interest of defenders… to publish a full technical breakdown,” Firsov explained.

Roundcube is the default webmail client embedded into shared hosting environments and control panels like cPanel, Plesk, ISPConfig, and others. According to Firsov, it’s so ubiquitous it’s “like WordPress plugins, but somehow with even less privilege separation.”

From GoDaddy to Gandi, Johns Hopkins to Cambridge, Roundcube is everywhere—across commercial, academic, and even government infrastructure. That means one bug has the power to grant attackers shells “at industrial scale.”

CVE-2025-49113 affects:

• All Roundcube versions from 1.1.0 to 1.5.9 and 1.6.x up to 1.6.10
• Default installations—no special configuration or dependencies needed

The safe versions are:

• 1.6.11 (latest stable)
• 1.5.10 (LTS)

What makes this vulnerability so dangerous is that it:

• Has been hiding in plain sight for over 10 years
• Bypasses Web Application Firewalls (WAFs)
• Requires only a valid login (although CSRF variants may be possible)

Firsov’s deep dive revealed the flaw originates in how Roundcube handles PHP session deserialization. By manipulating GET parameters such as _from, and crafting the name of an uploaded file to include serialized object data, attackers can inject malicious payloads into the session data—without triggering any alarms.

“Testing this theory immediately confirmed success in practice… arbitrary variables can be injected into the current session—a scenario that should not be accessible to the user,” Firsov adds.

Eventually, this session poisoning leads to PHP Object Injection (POI), and thanks to Roundcube’s dependency on the PEAR library, attackers can leverage classes like Crypt_GPG_Engine to trigger Remote Code Execution (RCE).

“If you’re running anything older [than 1.5.10 or 1.6.11], you are a sitting duck!,” Firsov warns.

Admins must immediately upgrade to the patched versions and audit their environments for signs of compromise. Since WAFs offer no defense and the vulnerability is already being sold in dark forums, time is of the essence.

Related Posts:

• Roundcube Webmail Releases Security Updates to Patch Multiple Vulnerabilities
• Critical RCE Flaw Patched in Roundcube Webmail: Update Immediately!
• CISA warns of actively exploited flaw in Roundcube Webmail
• CISA Issues Warning on Actively Exploited Flaws in GeoServer, Linux Kernel, and Roundcube Webmail
• CISA Sounds Alarm on Actively Exploited Cisco and Roundcube Vulnerabilities