Security researchers have now identified a critical vulnerability in Roundcube Webmail that affects over 84,000 unpatched installations worldwide. This significant vulnerability, designated as CVE-2025-49113, enables authenticated attackers to remotely execute arbitrary code on the affected servers. It currently impacts all Roundcube versions from 1.1.0 through 1.6.10, representing a very serious threat to millions of webmail users. The popular webmail client is bundled by major hosting providers like GoDaddy and is also used by many universities and government agencies. This widespread adoption has unfortunately created what security researchers now describe as an “industrial scale” attack surface for many threat actors.
The critical vulnerability stems from a specific security flaw that is located in Roundcube’s session handling mechanism within a deserialization function. The underlying technical issue involves the improper parsing of session data when certain variable names begin with an exclamation mark (!). This specific condition causes the deserialization process to incorrectly shift its pointer positions, which ultimately corrupts the user’s session data. This created session corruption then creates significant opportunities for attackers to successfully launch PHP object injection attacks on the vulnerable server. These object injection attacks are what can ultimately lead to remote code execution, giving attackers full control over the compromised system.
Attackers can actively exploit this particular vulnerability through Roundcube’s standard file upload functionality by manipulating certain request parameters and filenames. The exploitation technique is known to successfully bypass typical Web Application Firewall (WAF) detection and only requires valid user credentials to execute. Shortly after the official patch was released on June 1st, hackers had already reverse-engineered it to develop a working exploit. This exploit was reportedly fully weaponized within forty-eight hours of the patch becoming public and was sold on various underground forums. The vulnerability’s rapid weaponization prompted security researchers to accelerate their own public disclosure of all the important technical details about it.
The Shadowserver Foundation now reports that as of June 8th, its internet scans still found nearly 85,000 Roundcube instances vulnerable. Most of these currently exposed instances are located in the United States, India, Germany, France, Canada, and also the United Kingdom. System administrators are therefore strongly recommended to update their systems to the new patched versions 1.6.11 and 1.5.10 as soon as possible. Organizations that are running any of the vulnerable versions are considered to be “sitting ducks” for potential exploitation by attackers. If immediate upgrading is impossible for them, it is recommended to restrict access to webmail and carefully monitor for any exploit indicators.
Reference:
