Cybersecurity researchers have disclosed particulars of a vital safety flaw within the Roundcube webmail software program that has gone unnoticed for a decade and might be exploited to take over prone techniques and execute arbitrary code.
The vulnerability, tracked as CVE-2025-49113, carries a CVSS rating of 9.9 out of 10.0. It has been described as a case of post-authenticated distant code execution by way of PHP object deserialization.
“Roundcube Webmail earlier than 1.5.10 and 1.6.x earlier than 1.6.11 permits distant code execution by authenticated customers as a result of the _from parameter in a URL is just not validated in program/actions/settings/add.php, resulting in PHP Object Deserialization,” reads the description of the flaw within the NIST’s Nationwide Vulnerability Database (NVD).
The shortcoming, which impacts all variations of the software program earlier than and together with 1.6.10, has been addressed in 1.6.11 and 1.5.10 LTS. Kirill Firsov, founder and CEO of FearsOff, has been credited with discovering and reporting the flaw.
The Dubai-based cybersecurity firm famous in a quick advisory that it intends to make public extra technical particulars and a proof-of-concept (PoC) “quickly” in order to present customers ample time to use the required patches.
Beforehand disclosed safety vulnerabilities in Roundcube have been a profitable goal for nation-state risk actors like APT28 and Winter Vivern. Final 12 months, Constructive Applied sciences revealed that unidentified hackers tried to take advantage of a Roundcube flaw (CVE-2024-37383) as a part of a phishing assault designed to steal person credentials.
Then a few weeks in the past, ESET famous that APT28 had leveraged cross-site scripting (XSS) vulnerabilities in numerous webmail servers similar to Roundcube, Horde, MDaemon, and Zimbra to reap confidential information from particular electronic mail accounts belonging to governmental entities and protection corporations in Jap Europe.
