Critical decade-old flaw in Roundcube Webmail enables remote code execution

Cybersecurity researchers are reporting  a critical security vulnerability in Roundcube Webmail that has remained undetected for an entire decade, exposing millions of email systems worldwide to potential compromise.

The vulnerability is tracked as CVE-2025-49113 (CVSS score 9.9). It's a post-authenticated remote code execution via PHP object deserialization. The vulnerability stems from insufficient validation of the _from parameter in URLs processed by the program/actions/settings/upload.php file, which leads to PHP Object Deserialization flaws. 

This enables attackers to manipulate URL parameters in a way that tricks Roundcube into processing malicious payloads and execute arbitrary malicious code on vulnerable Roundcube installations.

Affected Versions:

• All Roundcube Webmail versions before 1.5.10
• All Roundcube Webmail versions 1.6.x before 1.6.11
• All versions up to and including 1.6.10

Patched Versions:

• Roundcube Webmail version 1.5.10 LTS and later
• Roundcube Webmail version 1.6.11 and later

The vulnerability affects an estimated 53 million hosts worldwide, according to research conducted by FearsOff, the cybersecurity firm that discovered the flaw. In their advisory FearsOff announce that they intend to release additional technical details and a proof-of-concept demonstration in the near future.

The vulnerability requires authentication to exploit, so attackers must first obtain valid credentials to access the webmail system. However, cybersecurity experts warn that this requirement does not significantly diminish the threat level, as authentication barriers can often be overcome through phishing campaigns, credential stuffing attacks, or exploitation of compromised user accounts.

Organizations should patch their Roundcube installations as soon as possible.