Roundcube Vulnerability Enables Attackers to Steal Credentials via Exploitation

EXECUTIVE SUMMARY:

A vulnerability has been disclosed in Roundcube webmail software affecting all versions. This flaw allows authenticated users to achieve remote code execution through improper validation of the _from parameter in the URL within the settings upload functionality, leading to PHP object deserialization. Exploitation of this vulnerability can result in full system compromise and arbitrary code execution by attackers. It is strongly advised to update to the patched versions immediately to mitigate potential risks.[emaillocker id="1283"]

• CVE-2025-49113: It is a post-authentication remote code execution vulnerability in Roundcube Webmail. It arises from improper validation of the _from parameter in upload.php, leading to PHP object deserialization. Authenticated attackers can exploit this flaw by executing arbitrary code on the server. The vulnerability has a CVSS score of 9.9.
• CVE-2024-37383: It is a security vulnerability in Roundcube Webmail that was exploited in phishing attacks to steal user credentials. The flaw allowed attackers to bypass security controls and capture sensitive information through crafted requests. The vulnerability has a CVSS score of 6.1.

RECOMMENDATION:

• We strongly recommend you update Roundcube to version 1.5.10 and 1.6.11.

REFERENCES:

The following reports contain further technical details:

• https://thehackernews.com/2025/06/critical-10-year-old-roundcube-webmail.html