A critical vulnerability in Roundcube Webmail, tracked as CVE-2025-49113, is actively being exploited in the wild, allowing remote code execution by authenticated users. This flaw, which affects versions before 1.5.10 and 1.6.x before 1.6.11, has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of February 20, 2026, underscoring its severity and the urgency for remediation.
The vulnerability arises from improper validation of the `_from` parameter in the URL within the `upload.php` script of Roundcube's settings actions. This oversight leads to PHP Object Deserialization, a common vector for remote code execution attacks. With a CVSS score of 8.8 and an Exploit Prediction Scoring System (EPSS) rating of 0.905, the flaw is considered high-risk, necessitating immediate attention from administrators.
Exploitation of this vulnerability allows attackers to execute arbitrary code on the server, potentially leading to full system compromise. The attack requires authentication, but given the widespread use of Roundcube in webmail services, the impact could be significant if not promptly addressed. The vulnerability was disclosed on June 2, 2025, and has been exploited within 263 days of its disclosure, highlighting the rapid pace at which threat actors have moved to leverage this flaw.
Security researchers have observed increased activity on dark web forums, indicating that threat actors are actively discussing and sharing exploits for this vulnerability. As of now, there is one known exploit and 25 proof-of-concept (PoC) scripts available, which further facilitates the exploitation process by malicious actors.
Administrators are urged to upgrade to the latest versions of Roundcube Webmail to mitigate this risk. The vulnerability has been classified with a Stakeholder-Specific Vulnerability Categorization (SSVC) of 'attend,' meaning it requires immediate action to prevent potential exploitation. Given the active exploitation and the availability of PoC scripts, delaying patching could result in severe consequences, including data breaches and unauthorized access to sensitive information.
Organizations using Roundcube Webmail should prioritize patching and review their systems for any signs of compromise. Monitoring for unusual activity and ensuring that all user accounts are secure with strong, unique passwords can help mitigate the risk of exploitation. As the threat landscape continues to evolve, staying vigilant and proactive in applying security updates remains crucial.
CSURFACE