Critical Roundcube Webmail vulnerability exploited within days of disclosure

The critical vulnerability reported in Roundcube - CVE-2025-49113 (CVSS score 9.9) - is being actively exploited. This vulnerability has remained undetected for over a decade and now allows authenticated attackers to execute arbitrary code on vulnerable systems.

 It's now described as "email armageddon" due to its potential for widespread exploitation. It has already been weaponized by cybercriminals who are selling working exploits on underground forums just days after the patch was released.

Within just 48 hours of Roundcube releasing security patches on June 1, 2025, attackers had analyzed the code changes, developed working exploits, and begun advertising them on hacker forums. While the vulnerability requires authentication to exploit, threat actors indicated they could extract credentials from logs, conduct brute force attacks, or potentially obtain them through cross-site request forgery (CSRF) techniques. 

This vulnerability is impacting an estimated 53 million hosts globally according to internet scanning data. Major hosting providers including GoDaddy, Hostinger, Dreamhost, and OVH include Roundcube in their service offerings. Numerous organizations in government, academic, and technology sectors deploy it as their primary webmail solution. 

Security researcher Firsov noted that the application has such widespread presence that penetration testers are more likely to encounter a Roundcube instance than discover an SSL misconfiguration, describing the attack surface as "industrial" in scale.

Roundcube has addressed the vulnerability by releasing security updates for both supported version branches. Users running Roundcube 1.6.x should immediately upgrade to version 1.6.11, while those on the long-term support branch should update to version 1.5.10. cture.