Significant Decade-Old Vulnerability in Roundcube Webmail Enables Authenticated Users to Execute Malicious Code

Cybersecurity researchers have identified a critical vulnerability in the Roundcube webmail software, which has remained undetected for over a decade. This security flaw, tracked as CVE-2025-49113, poses a risk of system takeover and arbitrary code execution, receiving a CVSS score of 9.9 out of 10.0.

The vulnerability allows post-authentication remote code execution through PHP object deserialization due to inadequate validation of the from parameter in the URL within PLACEHOLDER6c134b92eec93bb2, as indicated in the National Vulnerability Database (NVD).

This issue affects all versions of Roundcube prior to and including 1.6.10. It has been addressed in the recent updates, namely versions 1.6.11 and 1.5.10 LTS, thanks to the discovery and reporting by Kirill Firsov, the founder and CEO of FearsOff.

FearsOff, a Dubai-based cybersecurity company, has announced intentions to release additional technical details and a proof-of-concept (PoC) in the near future, ensuring users have ample time to implement the necessary patches.

Historical data shows that Roundcube vulnerabilities have attracted considerable attention from nation-state actors. For example, APT28 and Winter Vivern have previously targeted such flaws. Last year, Positive Technologies reported that hackers attempted to exploit a different Roundcube vulnerability (CVE-2024-37383) in a phishing attack aimed at credential theft.

Furthermore, ESET recently highlighted activities by APT28, noting their exploitation of cross-site scripting (XSS) vulnerabilities in various webmail platforms, including Roundcube, Horde, MDaemon, and Zimbra. This exploitation was aimed at collecting confidential information from email accounts linked to governmental and defense entities in Eastern Europe.