A critical vulnerability in Roundcube Webmail, tracked as CVE-2025-49113, has been actively exploited in the wild, allowing remote code execution by authenticated users. This flaw, which affects Roundcube Webmail versions before 1.5.10 and 1.6.x before 1.6.11, has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of February 20, 2026, highlighting its severity and the urgency for remediation.
The vulnerability arises from improper validation of the _from parameter in the URL of the `upload.php` script within the settings actions of Roundcube Webmail. This oversight leads to PHP Object Deserialization, a common vector for remote code execution attacks. With a CVSS score of 8.8, the flaw is classified as high severity, and its Exploit Prediction Scoring System (EPSS) score of 0.909 indicates a high likelihood of exploitation.
Reports of dark web activity surrounding this vulnerability suggest that attackers have been preparing to leverage it for broader campaigns. The availability of a working exploit and 25 proof-of-concept (PoC) examples further underscores the risk to organizations using vulnerable versions of Roundcube Webmail. The vulnerability was disclosed on June 2, 2025, and has been exploited within 263 days of its disclosure, demonstrating a rapid transition from identification to active exploitation.
Organizations using Roundcube Webmail should prioritize patching to mitigate this threat. The recommended action is to upgrade to version 1.5.10 or 1.6.11, where the vulnerability has been addressed. Given the vulnerability's inclusion in the KEV catalog and its exploitation in the wild, immediate attention is warranted to prevent potential breaches.
Security teams should also monitor for any signs of compromise, particularly focusing on unusual activity related to the `upload.php` script. Implementing additional security measures, such as web application firewalls and intrusion detection systems, can help detect and block exploitation attempts. As the vulnerability continues to be exploited, staying vigilant and ensuring systems are updated is crucial to maintaining security posture.
CSURFACE