A newly discovered critical vulnerability in Roundcube webmail—CVE-2025-49113—has left over 84,000 servers exposed to potential remote code execution (RCE) attacks.
The flaw affects versions 1.1.0 through 1.6.10, spanning more than a decade of software releases.
Discovered by security researcher Kirill Firsov, the vulnerability stems from unsanitized input in the $_GET['_from'] parameter, which enables PHP object deserialization and session corruption. Although it requires authentication to exploit, attackers can reportedly obtain credentials using CSRF, log scraping, or brute-force methods.
A patch was issued on June 1, 2025, but attackers quickly reverse-engineered it to create a working exploit, which is now being sold on underground forums.
According to data from The Shadowserver Foundation, 84,925 vulnerable instances are still exposed online, primarily in the U.S. (19,500), India (15,500), and Germany (13,600).
Administrators are strongly urged to update to Roundcube versions 1.6.11 or 1.5.10 immediately. If upgrading isn’t possible, mitigation steps include restricting access, disabling file uploads, enabling CSRF protection, and blocking dangerous PHP functions. With mass exploitation likely imminent, prompt action is critical.
