Roundcube Releases Security Updates for Webmail

Updates address a vulnerability that could lead to authenticated remote code execution

Threat ID:: CC-4663
Threat Severity:: Medium
Published:: 4 June 2025 2:29 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Updates address a vulnerability that could lead to authenticated remote code execution

Affected platforms

The following platforms are known to be affected:

Roundcube Webmail

All prior to 1.6.11
All prior to 1.5.10

Threat details

Proof-of-concept exploit released for CVE-2025-49113

Security researchers have published a public proof-of-concept exploit for CVE-2025-49113. Affected organisations are urged to patch as soon as possible. The NHS England National CSOC assesses exploitation of this vulnerability as more likely.

Introduction

Roundcube has released versions 1.6.11 and 1.5.10 for its Webmail product. The updated versions address a critical severity vulnerability in the Webmail product.

CVE-2025-49113 has a CVSSv3 score of 9.9 and is a "deserialisation of untrusted data" vulnerability. An authenticated remote attacker could exploit this vulnerability to achieve remote code execution.

Threat updates

Date	Update
11 Jun 2025	Proof-of-concept exploit released for CVE-2025-49113
5 Jun 2025	Security researchers have released a full technical breakdown of the exploit for CVE-2025-49113.

Remediation advice

Affected organisations are encouraged to review the Roundcube Security updates 1.6.11 and 1.5.10 advisory and apply the update for the latest release.

Definitive source of threat updates

CVE Vulnerabilities

Status Published

CVE-2025-49113

Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.

Last edited: 11 June 2025 11:00 am