Attackers exploiting a critical Roundcube webmail software vulnerability concealed for a decade could achieve vulnerable system takeovers and arbitrary code execution, according to The Hacker News.
All Roundcube webmail software versions before 1.5.10 and 1.6.x before 1.6.11 are impacted by the post-authenticated remote code execution flaw, tracked as CVE-2025-49113, a report from Dubai-based cybersecurity firm FearsOff showed. More details regarding the issue which was noted to have stemmed from PHP object deserialization caused by lacking '_from' parameter validation in 'program/actions/settings/upload.php' will be released alongside a proof-of-concept soon, said FearsOff. Such a development comes as Roundcube flaws have been increasingly exploited by state-backed hacking operations, with APT28 reported by ESET to have used cross-site scripting issues in the platform, as well as other webmail servers, to compromise Eastern European government and defense organizations' email accounts. Attempted exploitation of another Roundcube bug, tracked as CVE-2024-37383, in credential theft attacks was also disclosed by Positive Technologies.
All Roundcube webmail software versions before 1.5.10 and 1.6.x before 1.6.11 are impacted by the post-authenticated remote code execution flaw, tracked as CVE-2025-49113, a report from Dubai-based cybersecurity firm FearsOff showed. More details regarding the issue which was noted to have stemmed from PHP object deserialization caused by lacking '_from' parameter validation in 'program/actions/settings/upload.php' will be released alongside a proof-of-concept soon, said FearsOff. Such a development comes as Roundcube flaws have been increasingly exploited by state-backed hacking operations, with APT28 reported by ESET to have used cross-site scripting issues in the platform, as well as other webmail servers, to compromise Eastern European government and defense organizations' email accounts. Attempted exploitation of another Roundcube bug, tracked as CVE-2024-37383, in credential theft attacks was also disclosed by Positive Technologies.
