A decade-old critical security vulnerability has been discovered in Roundcube Webmail that could allow authenticated attackers to execute arbitrary code on vulnerable systems, potentially affecting millions of installations worldwide.

The flaw, tracked as CVE-2025-49113, carries an alarming CVSS score of 9.9 out of 10.0, marking it as one of the most severe vulnerabilities discovered in recent years.

The vulnerability affects all Roundcube Webmail versions before 1.5.10 and 1.6.x before 1.6.11, representing a staggering scope of impact that includes over 53 million hosts globally.

The flaw particularly concerns popular web hosting control panels such as cPanel, Plesk, ISPConfig, and DirectAdmin, which bundle Roundcube as their default webmail solution.

Kirill Firsov, founder and CEO of Dubai-based cybersecurity firm FearsOff, discovered this post-authenticated remote code execution vulnerability that exploits PHP object deserialization.

The security flaw stems from insufficient validation of the _from parameter in the URL within the program/actions/settings/upload.php file, enabling malicious users to manipulate serialized PHP objects and execute arbitrary code on the server.

Roundcube has historically been a prime target for advanced persistent threat groups. Previous vulnerabilities in the webmail platform have been exploited by nation-state actors including APT28 and Winter Vivern.

Last year, unidentified hackers attempted to exploit CVE-2024-37383 in phishing attacks aimed at stealing user credentials.

More recently, ESET researchers documented APT28’s exploitation of cross-site scripting vulnerabilities in various webmail servers, including Roundcube, to harvest confidential data from governmental entities and defense companies in Eastern Europe.

The Centre for Cybersecurity Belgium has issued urgent warnings, strongly recommending that organizations install updates with the highest priority after thorough testing. Fixed versions are now available with Roundcube Webmail 1.6.11 and 1.5.10 LTS addressing the vulnerability.

FearsOff has indicated plans to publish comprehensive technical details and proof-of-concept code soon, following responsible disclosure practices to allow sufficient time for affected parties to implement necessary patches.

This approach demonstrates the cybersecurity community’s commitment to providing organizations adequate time to secure their systems before detailed exploitation methods become public.

Organizations using Roundcube Webmail should prioritize immediate patching and implement enhanced monitoring capabilities to detect any suspicious activities that might indicate attempted exploitation of this critical vulnerability.

10-Year-Old Roundcube RCE Vulnerability Let Attackers Execute Malicious Code

A critical security vulnerability in Roundcube Webmail, tracked as CVE-2025-49113, allows authenticated attackers to execute arbitrary code on vulnerable systems, affecting over 53 million installations globally. The flaw, discovered by Kirill Firsov of Dubai-based cybersecurity firm FearsOff, exploits PHP object deserialization in Roundcube versions prior to 1.5.10 and 1.6.11. Previous vulnerabilities have been exploited by APT groups like APT28, and organizations are urged to apply patches immediately.