Actively exploited Roundcube flaw has widespread coverage

BleepingComputer reports that attacks exploiting a critical remote code execution vulnerability in Roundcube webmail, tracked as CVE-2025-49113, could compromise 84,925 instances around the world.

The U.S. accounted for most of the vulnerable Roundcube webmail implementations at 19,500, followed by India, Germany, France, and Canada, according to The Shadowserver Foundation. Such a flaw, which arose from PHP object deserialization and session corruption caused by unsanitized $_GET['_from'] input, has been undetected for more than a decade and affects all Roundcube versions 1.1.0 to 1.6.10. With log scraping, brute-force, and cross-site request forgery attacks enabling credential theft while circumventing authentication, organizations have been urged to immediately update to versions 1.6.11 and 1.5.10 released earlier this month to prevent potential compromise. Such a threat could also be averted by those that cannot apply version upgrades by limiting webmail access, deactivating file uploads, and including CSRF defenses, as well as tracking exploit indicators and hindering risky PHP functionality.