A critical vulnerability in the popular open-source Roundcube webmail platform is now being actively exploited in the wild, with hackers selling working remote code execution (RCE) exploits on underground forums.
The flaw, CVE-2025-49113, affects Roundcube versions 1.1.0 through 1.6.10 and was patched on June 1st.
The vulnerability—dubbed “email armageddon” by security researchers—stems from unsanitized user input in the $_GET['_from'] parameter, enabling PHP object injection and eventual code execution after login. Despite requiring credentials, threat actors have been seen offering the exploit alongside techniques to extract or brute-force logins, or abuse CSRF to hijack sessions.
Security researcher Kirill Firsov, CEO of cybersecurity firm FearsOff, discovered and reported the flaw. Citing the urgency of ongoing exploitation, Firsov published a technical breakdown to assist defenders, though he withheld the full proof-of-concept (PoC). “Given the active exploitation… it is in the best interest of defenders to publish a full technical breakdown,” he explained.
Roundcube is included by default in hosting services from GoDaddy, Hostinger, Dreamhost, and OVH, and is widely used in government, education, and enterprise sectors. Search engine scans show over 1.2 million Roundcube hosts exposed online, underlining the massive industrial-scale attack surface.
Administrators are urged to immediately apply the latest security update and audit access logs for suspicious activity. With exploit brokers reportedly offering up to $50,000 for a Roundcube RCE exploit, timely patching is critical.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
