Critical Roundcube RCE Vulnerability Exploited: Over 80,000 Servers Affected

TL;DR

A critical remote code execution (RCE) vulnerability in Roundcube, identified as CVE-2025-49113, has been exploited just days after a patch was released. This flaw has impacted over 80,000 servers, highlighting the urgent need for system updates. The vulnerability allows attackers to execute malicious code, posing significant risks to users and organizations.

Critical Roundcube RCE Vulnerability Exploited

A critical remote code execution (RCE) vulnerability in Roundcube, tracked as CVE-2025-49113, has been exploited just days after the patch was released. This flaw has impacted over 80,000 servers, highlighting the urgent need for system updates. The vulnerability allows attackers to execute malicious code, posing significant risks to users and organizations.

Impact and Exploitation

Roundcube, a popular webmail platform, has been a frequent target for advanced threat groups such as APT28 and Winter Vivern. These groups have exploited vulnerabilities to steal login credentials and spy on sensitive communications. The recent discovery of CVE-2025-49113, which had gone unnoticed for over a decade, underscores the risks associated with unpatched systems.

Vulnerability Details

The critical flaw, CVE-2025-49113, has a CVSS score of 9.9 and was discovered by Kirill Firsov, founder and CEO of FearsOff. The vulnerability affects Roundcube Webmail versions before 1.5.10 and 1.6.x before 1.6.11. It allows remote code execution by authenticated users due to the lack of validation of the _from parameter in a URL, leading to PHP Object Deserialization¹.

Patch and Mitigation

The vulnerability has been addressed in Roundcube versions 1.6.11 and 1.5.10 LTS. Users are strongly advised to update to these versions immediately to mitigate the risk. Firsov estimates that the flaw impacts over 53 million hosts, including those using tools like cPanel, Plesk, ISPConfig, and DirectAdmin. Details and proof-of-concept (PoC) will be published soon.

Expert Warnings

Researchers at Positive Technologies have reproduced the vulnerability and urge users to update to the latest version of Roundcube. The Shadowserver Foundation has warned that roughly 84,000 Roundcube instances exposed on the Internet are still unpatched².

Current Status

Shadowserver data shows that more than 84,000 Internet-facing servers are vulnerable. The urgency of updating to the patched versions cannot be overstated, as these servers remain high-value targets for threat actors.

Follow for Updates

For the latest updates and insights, follow @securityaffairs on Twitter, Facebook, and Mastodon.

For more details, visit the full article: source

Conclusion

The rapid exploitation of the Roundcube RCE vulnerability serves as a stark reminder of the importance of prompt patching and system updates. Organizations and users must remain vigilant and proactive in their cybersecurity measures to protect against such critical threats.

References

1. NVD (2025). “CVE-2025-49113”. National Institute of Standards and Technology. Retrieved 2025-06-11. ↩︎

2. The Shadowserver Foundation (2025). “Tweet”. Twitter. Retrieved 2025-06-11. ↩︎