Critical 10-Year-Old Roundcube Webmail Bug Allows Authenticated Users Run Malicious Code

Jun 03, 2025Ravie LakshmananEmail Security / Vulnerability

Cybersecurity researchers have disclosed details of a critical security flaw in the Roundcube webmail software that has gone unnoticed for a decade and could be exploited to take over susceptible systems and execute arbitrary code.

The vulnerability, tracked as CVE-2025-49113, carries a CVSS score of 9.9 out of 10.0. It has been described as a case of post-authenticated remote code execution via PHP object deserialization.

“Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization,” reads the description of the flaw in the NIST’s National Vulnerability Database (NVD).

The shortcoming, which affects all versions of the software before and including 1.6.10, has been addressed in 1.6.11 and 1.5.10 LTS. Kirill Firsov, founder and CEO of FearsOff, has been credited with discovering and reporting the flaw.

The Dubai-based cybersecurity company noted in a brief advisory that it intends to make public additional technical details and a proof-of-concept (PoC) “soon” so as to give users sufficient time to apply the necessary patches.

Previously disclosed security vulnerabilities in Roundcube have been a lucrative target for nation-state threat actors like APT28 and Winter Vivern. Last year, Positive Technologies revealed that unidentified hackers attempted to exploit a Roundcube flaw (CVE-2024-37383) as part of a phishing attack designed to steal user credentials.

Then a couple of weeks ago, ESET noted that APT28 had leveraged cross-site scripting (XSS) vulnerabilities in various webmail servers such as Roundcube, Horde, MDaemon, and Zimbra to harvest confidential data from specific email accounts belonging to governmental entities and defense companies in Eastern Europe.

Upgrade your audio game with the Logitech for Creators Blue Yeti USB Microphone. With over 33,730 ratings and an impressive 4.6 out of 5 stars, it’s no wonder this is an Amazon’s Choice product. Recently, 5K+ units were purchased in the past month.

Available in five stunning colors: Teal, Silver, Pink Dawn, Midnight Blue, and Blackout, this microphone is perfect for creators looking to produce exceptional audio. Priced at only $84.99, it’s a deal you can’t afford to miss.

Elevate your recordings with clear broadcast-quality sound and explore your creativity with enhanced effects, advanced modulation, and HD audio samples. Order now for just $84.99 on Amazon!

Help Power Techcratic’s Future – Scan To Support

If Techcratic’s content and insights have helped you, consider giving back by supporting the platform with crypto. Every contribution makes a difference, whether it’s for high-quality content, server maintenance, or future updates. Techcratic is constantly evolving, and your support helps drive that progress.

As a solo operator who wears all the hats, creating content, managing the tech, and running the site, your support allows me to stay focused on delivering valuable resources. Your support keeps everything running smoothly and enables me to continue creating the content you love. I’m deeply grateful for your support, it truly means the world to me! Thank you!