Description
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
Products
Questions to Ask Vendors
- Can you confirm if you have updated all instances of Roundcube Webmail to versions 1.5.10 or 1.6.11 to mitigate the risk of CVE-2025-49113 and CVE-2024-42009?
- Have you implemented measures to monitor server logs for POST requests to program/actions/settings/upload.php that include unusually large or nonstandard serialized data, as recommended in the advisory?
- Have you reviewed and adjusted file permissions to ensure that the webserver user has only the minimum necessary filesystem permissions to limit post-exploitation damage?
- Have you audited all authenticated user accounts for suspicious configuration changes or unexpected mail forwarding rules as a part of your remediation process for CVE-2025-49113?
Recommended Actions
- Audit User Accounts: Immediately review all authenticated user accounts for suspicious configuration changes or unexpected mail forwarding rules.
- Harden Web Access: Restrict access to Roundcube’s upload.php to authorized IP ranges and enforce multi-factor authentication for all mail users.
- Monitor for Exploit Indicators: Watch server logs for POST requests to program/actions/settings/upload.php that include unusually large or nonstandard serialized data.
- Review File Permissions: Ensure that the webserver user has only the minimum necessary filesystem permissions to limit post-exploitation damage.
- Upgrade Roundcube: 1.5 LTS installations: Update to 1.5.10 or later. 1.6.x installations: Update to 1.6.11 or later.
References